CVE-2022-50791

HIGH

SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x - Command Injection

Title source: llm

Description

SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a conditional command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory. Unauthenticated attackers can execute commands by making a single HTTP POST request to the vulnerable ping.php script, which triggers the malicious file and then deletes it.

References (5)

Core 5

Core References

Exploit, Third Party Advisory third-party-advisory

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5735.php

Exploit, Third Party Advisory, VDB Entry exploit

https://packetstormsecurity.com/files/170262/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-ping.php-Command-Injection.html

Third Party Advisory vdb-entry

https://exchange.xforce.ibmcloud.com/vulnerabilities/247915

Product product

https://www.sound4.com/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-conditional-command-injection-via-pingphp

Scores

CVSS v3 7.8

EPSS 0.0335

EPSS Percentile 87.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (12)

sound4/big_voice2_firmware 1.30

sound4/big_voice4_firmware 1.2

sound4/first_firmware 2.15

sound4/first_firmware 1.69

sound4/impact_eco_firmware 1.16

sound4/impact_firmware 2.15

sound4/impact_firmware 1.69

sound4/pulse_eco_firmware 1.16

sound4/pulse_firmware 2.15

sound4/pulse_firmware 1.69

... and 2 more

Published Dec 30, 2025

Tracked Since Feb 18, 2026