CVE-2022-27255

CRITICAL

Realtek eCos RSDK and MSDK - Remote Code Execution via SIP ALG SDP Data Overflow

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-27255. PoCs published by infobyte, stryker-project.

AI-analyzed exploit summary This repository contains a working PoC for CVE-2022-27255, a buffer overflow vulnerability in the Realtek eCos SDK SIP ALG. It includes firmware analysis tools, Ghidra scripts for vulnerability detection, and exploit code targeting specific routers like the Nexxt Nebula 300 Plus.

Description

In Realtek eCos RSDK 1.5.7p1 and MSDK 4.9.4p1, the SIP ALG function that rewrites SDP data has a stack-based buffer overflow. This allows an attacker to remotely execute code without authentication via a crafted SIP packet that contains malicious SDP data.

Exploits (2)

nomisec WORKING POC 279 stars

by infobyte · poc

https://github.com/infobyte/cve-2022-27255

View Code ZIP pw:eip

This repository contains a working PoC for CVE-2022-27255, a buffer overflow vulnerability in the Realtek eCos SDK SIP ALG. It includes firmware analysis tools, Ghidra scripts for vulnerability detection, and exploit code targeting specific routers like the Nexxt Nebula 300 Plus.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Realtek eCos SDK SIP ALG (affecting multiple router models)

No auth needed

Prerequisites: Network access to vulnerable device · Firmware image for analysis

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 8 stars

by stryker-project · poc

https://github.com/stryker-project/CVE-2022-27255-checker

View Code ZIP pw:eip

This PoC checks for CVE-2022-27255 by sending a malformed SIP packet with a large payload to crash the target system. It verifies vulnerability by checking if the telnet service becomes unavailable after the exploit is sent.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Nexxt Solutions Asterisk-based systems (specific version not specified)

No auth needed

Prerequisites: Network access to the target system · Telnet service running on the target

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2022-27255.pdf

Third Party Advisory x_refsource_misc

https://forum.defcon.org/node/241835

Scores

CVSS v3 9.8

EPSS 0.3708

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (2)

realtek/ecos_msdk_firmware 4.9.4p1

realtek/ecos_rsdk_firmware 1.5.7p1

Published Aug 01, 2022

Tracked Since Feb 18, 2026