CVE-2022-39996

MEDIUM

Teldat RS123 and RS123w Firmware - Stored Cross-Site Scripting via cmdcookie Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-39996. PoCs published by uyhacked.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2022-39996 (Reflected XSS) and CVE-2022-39997 (Weak Password) in Teldat RS123/RS123w routers. The PoCs include detailed implementations for testing and exploiting these vulnerabilities, with support for various authentication methods and payloads.

Description

Cross Site Scripting vulnerability in Teldats Router RS123, RS123w allows attacker to execute arbitrary code via the cmdcookie parameter to the upgrade/query.php page.

Exploits (2)

nomisec WORKING POC

by uyhacked · poc

https://github.com/uyhacked/Teldat-Router-CVE-2022-POC

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2022-39996 (Reflected XSS) and CVE-2022-39997 (Weak Password) in Teldat RS123/RS123w routers. The PoCs include detailed implementations for testing and exploiting these vulnerabilities, with support for various authentication methods and payloads.

Classification

Working Poc 95%

Attack Type

Xss | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Teldat RS123/RS123w routers

No auth needed

Prerequisites: Network access to the target router · Default credentials (root:root) for CVE-2022-39997

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Jun 09, 2026 Full analysis →

github WORKING POC

by uyhacked · pythonpoc

https://github.com/uyhacked/Teldat-Router-CVE-2022-POC/tree/main/CVE-2022-39996.py

View Code ZIP pw:eip

This repository contains a functional Python script that demonstrates a reflected XSS vulnerability in Teldat RS123/RS123w routers via the 'cmd' cookie parameter on the /upgrade/index.html endpoint. The script includes multiple payloads, authentication support, and generates a standalone HTML PoC for demonstration.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Teldat RS123/RS123w routers

No auth needed

Prerequisites: Network access to the target router · Victim must visit a crafted URL or page with the malicious cookie

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Jun 09, 2026 Full analysis →

References (2)

Core 2

Core References

Broken Link

https://github.com/uyhacked/Teldat-s-Router/blob/main/Teldat

Exploit, Third Party Advisory

https://github.com/uyhacked/Teldat-s-Router/blob/main/Teldat%27s%20Router%20Vulnerability.md

View Exploit ZIP pw:eip

Scores

CVSS v3 4.8

EPSS 0.0011

EPSS Percentile 29.5%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

teldat/rs123_firmware

teldat/rs123w_firmware

Published Aug 27, 2024

Tracked Since Feb 18, 2026