CVE-2022-26580

MEDIUM

PAX PayDroid 7.1.1 Virgo V04.3.26T1 - OS Command Injection via ADB Daemon Shell Service

Title source: llm

Description

PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow the execution of specific command injections on selected binaries in the ADB daemon shell service. The attacker must have physical USB access to the device in order to exploit this vulnerability.

References (3)

Core 3

Core References

Various Sources

https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26580.md

Various Sources

https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/

Third Party Advisory

https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c

Scores

CVSS v3 6.8

EPSS 0.0175

EPSS Percentile 74.9%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-78

Status published

Products (1)

paxtechnology/paydroid 7.1.1_virgo_v04.3.26t1_20210419

Published Dec 16, 2022

Tracked Since Feb 18, 2026