CVE-2022-50909
Unknown Unknown - Not Provided
Command Injection in Algo 8028 Control Panel Allows RCE

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: VulnCheck

Description
Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. Attackers can exploit the insecure 'source' parameter by injecting commands that are executed with root privileges, enabling remote code execution through a crafted POST request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-14
NVD
CVE-2022-50909
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
algo_communication_products_ltd algo_8028_control_panel 3.3.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2022-50909 is a command injection vulnerability in Algo 8028 Control Panel version 3.3.3, specifically in the fm-data.lua endpoint. Authenticated attackers can exploit the insecure 'source' parameter by sending a crafted POST request that injects arbitrary commands executed with root privileges. This allows remote code execution on the device, enabling attackers to run any commands as the root user. [2, 4]

Impact Analysis

This vulnerability allows an authenticated attacker to execute arbitrary commands with root privileges on the Algo 8028 device. This can lead to full compromise of the device, including unauthorized access, data manipulation, disruption of services, and potential use of the device as a foothold for further attacks within the network. [2, 4]

Detection Guidance

This vulnerability can be detected by attempting to exploit the command injection in the 'source' parameter of the /control/fm-data.lua endpoint with authenticated access. A crafted POST request can be sent with parameters such as 'action=rename' and a specially crafted 'source' value that injects a command. For example, using curl to send a POST request with form data including 'action=rename' and 'source=/a";echo test 2>&1 > /opt/algo/web/root/a.txt;"' can test if command injection is possible. Then, an HTTP GET request to http://<host>/a.txt can be used to check if the command output is accessible, indicating vulnerability. The exploit involves logging in first by POSTing credentials to /index.lua. A Python3 script demonstrating this process is available in the exploit details. [2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the Algo 8028 Control Panel to trusted users only, ensuring that only authenticated and authorized personnel can access the /control/fm-data.lua endpoint. Applying any available firmware updates from the vendor that address this vulnerability is critical. Since the vulnerability requires authenticated access, enforcing strong authentication and monitoring for suspicious POST requests to the fm-data.lua endpoint can help mitigate exploitation. If possible, disable or restrict the vulnerable functionality until a patch is applied. [2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50909. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart