CVE-2022-36158

HIGH

Contec FXA3200 <1.13.00 - Command Injection

Title source: llm

Description

Contec FXA3200 version 1.13.00 and under suffers from Insecure Permissions in the Wireless LAN Manager interface which allows malicious actors to execute Linux commands with root privilege via a hidden web page (/usr/www/ja/mnt_cmd.cgi).

References (4)

[Product] https://www.contec.com/products-services/computer-networking/flexlan-fx/fx-accesspoint/fxa3200/feature/#section

[Broken Link, Third Party Advisory] https://gist.github.com/Nwqda/aac33d1936d2b514a3268f145345abb4

[Exploit, Mitigation, Third Party Advisory] https://samy.link/blog/contec-flexlan-fxa2000-and-fxa3000-series-vulnerability-repo

[Patch, Third Party Advisory] https://jvn.jp/en/vu/JVNVU98305100/

Scores

CVSS v3 8.0

EPSS 0.0050

EPSS Percentile 65.8%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-425

Status published

Products (4)

contec/fxa2000_firmware < 1.39.00

contec/fxa3000_firmware < 1.13.00

contec/fxa3020_firmware < 1.13.00

contec/fxa3200_firmware < 1.13.00

Published Sep 26, 2022

Tracked Since Feb 18, 2026