CVE-2022-4221
CRITICALASUS NAS-M25 Firmware <= 1.0.1.7 - Unauthenticated OS Command Injection via Cookie
Title source: llmDescription
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Asus NAS-M25 allows an unauthenticated attacker to inject arbitrary OS commands via unsanitized cookie values.This issue affects NAS-M25: through 1.0.1.7.
References (1)
Core 1
Core References
Exploit, Technical Description, Third Party Advisory
https://onekey.com/blog/security-advisory-asus-m25-nas-vulnerability/
Scores
CVSS v3
9.8
EPSS
0.5521
EPSS Percentile
98.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
asus/nas-m25_firmware
< 1.0.1.7
Published
Dec 01, 2022
Tracked Since
Feb 18, 2026