CVE-2022-27226

HIGH EXPLOITED IN THE WILD

iRZ Mobile Router Firmware < 2022-03-16 - Cross-Site Request Forgery via Crontab API

Title source: llm

Exploitation Summary

CVE-2022-27226 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including John Jackson, SakuraSamuraii.

AI-analyzed exploit summary This exploit demonstrates a CSRF to RCE vulnerability in iRZ Mobile Routers. It allows an attacker to execute arbitrary commands via a crafted crontab entry, leading to a reverse shell. The exploit includes both post-authentication and CSRF-based attack vectors.

Description

A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to remote code execution, allowing the threat actor to gain filesystem access. In addition, if the router's default credentials aren't rotated or a threat actor discovers valid credentials, remote code execution can be achieved without user interaction.

Exploits (2)

exploitdb WORKING POC

by John Jackson · pythonremotehardware

https://www.exploit-db.com/exploits/50832

View Code ZIP pw:eip

This exploit demonstrates a CSRF to RCE vulnerability in iRZ Mobile Routers. It allows an attacker to execute arbitrary commands via a crafted crontab entry, leading to a reverse shell. The exploit includes both post-authentication and CSRF-based attack vectors.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: iRZ Mobile Router (RU21, RU21w, RL21, RU41, RL01) through 2022-03-16

No auth needed

Prerequisites: Network access to the router · Victim interaction for CSRF (exploit2) · Credentials for post-auth RCE (exploit1)

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 15 stars

by SakuraSamuraii · poc

https://github.com/SakuraSamuraii/ez-iRZ

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-27226, which leverages a CSRF vulnerability in iRZ Mobile Routers to achieve remote code execution via cronjob manipulation. The exploit supports both authenticated and unauthenticated attack vectors, with detailed instructions for achieving a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: iRZ Mobile Routers (through 2022-03-16)

No auth needed

Prerequisites: Network access to the target router · For CSRF: Victim interaction or valid credentials · For authenticated RCE: Valid router credentials

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1059.004 - Unix Shell T1068 - Exploitation for Privilege Escalation T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Product x_refsource_misc

https://en.irz.ru

Exploit, Third Party Advisory x_refsource_misc

https://johnjhacking.com/blog/cve-2022-27226/

Exploit, Third Party Advisory x_refsource_misc

https://github.com/SakuraSamuraii/ez-iRZ

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/166396/iRZ-Mobile-Router-Cross-Site-Request-Forgery-Remote-Code-Execution.html

Scores

CVSS v3 8.8

EPSS 0.3453

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-04-12

InTheWild.io 2022-05-30

CWE

CWE-352

Status published

Products (5)

irz/rl01_firmware < 2022-03-16

irz/rl21_firmware < 2022-03-16

irz/ru21_firmware < 2022-03-16

irz/ru21w_firmware < 2022-03-16

irz/ru41_firmware < 2022-03-16

Published Mar 19, 2022

Tracked Since Feb 18, 2026