CVE-2022-40282

Published: Nov 25, 2022Modified: Apr 29, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The web server of Hirschmann BAT-C2 before 09.13.01.00R04 allows authenticated command injection. This allows an authenticated attacker to pass commands to the shell of the system because the dir parameter of the FsCreateDir Ajax function is not sufficiently sanitized. The vendor's ID is BSECV-2022-21.

Affected (1)

Products: Belden: Hirschmann Bat C2 Firmware

1 product

Hirschmann Bat C2 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Belden Hirschmann Bat C2 Firmware	Before 09.13.00r04

Running on/with	Platform Versions
Belden Hirschmann Bat C2	All versions

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (6)

http://packetstormsecurity.com/files/170063/Hirschmann-Belden-BAT-C2-8.8.1.0R8-Command-Injection.html

Source: cve@mitre.org

ExploitThird Party Advisory

http://seclists.org/fulldisclosure/2022/Nov/19

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.belden.com/support/security-assurance

Source: cve@mitre.org

Broken Link

http://packetstormsecurity.com/files/170063/Hirschmann-Belden-BAT-C2-8.8.1.0R8-Command-Injection.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

http://seclists.org/fulldisclosure/2022/Nov/19

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.belden.com/support/security-assurance

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

Timeline

No history available yet.