CVE-2022-26582

HIGH

PAX PayDroid 7.1.1 Virgo V04.3.26T1 - Authenticated OS Command Injection via systool client

Title source: llm

Description

PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an attacker to gain root access through command injection in systool client. The attacker must have shell access to the device in order to exploit this vulnerability.

References (3)

Core 3

Core References

Various Sources

https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26582.md

Various Sources

https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/

Third Party Advisory

https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c

Scores

CVSS v3 7.8

EPSS 0.0087

EPSS Percentile 54.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20 CWE-78

Status published

Products (1)

paxtechnology/paydroid 7.1.1_virgo_v04.3.26t1_20210419

Published Dec 16, 2022

Tracked Since Feb 18, 2026