CVE-2022-50909
Command Injection in Algo 8028 Control Panel Allows RCE
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| algo_communication_products_ltd | algo_8028_control_panel | 3.3.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50909 is a command injection vulnerability in Algo 8028 Control Panel version 3.3.3, specifically in the fm-data.lua endpoint. Authenticated attackers can exploit the insecure 'source' parameter by sending a crafted POST request that injects arbitrary commands executed with root privileges. This allows remote code execution on the device, enabling attackers to run any commands as the root user. [2, 4]
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary commands with root privileges on the Algo 8028 device. This can lead to full compromise of the device, including unauthorized access, data manipulation, disruption of services, and potential use of the device as a foothold for further attacks within the network. [2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the command injection in the 'source' parameter of the /control/fm-data.lua endpoint with authenticated access. A crafted POST request can be sent with parameters such as 'action=rename' and a specially crafted 'source' value that injects a command. For example, using curl to send a POST request with form data including 'action=rename' and 'source=/a";echo test 2>&1 > /opt/algo/web/root/a.txt;"' can test if command injection is possible. Then, an HTTP GET request to http://<host>/a.txt can be used to check if the command output is accessible, indicating vulnerability. The exploit involves logging in first by POSTing credentials to /index.lua. A Python3 script demonstrating this process is available in the exploit details. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Algo 8028 Control Panel to trusted users only, ensuring that only authenticated and authorized personnel can access the /control/fm-data.lua endpoint. Applying any available firmware updates from the vendor that address this vulnerability is critical. Since the vulnerability requires authenticated access, enforcing strong authentication and monitoring for suspicious POST requests to the fm-data.lua endpoint can help mitigate exploitation. If possible, disable or restrict the vulnerable functionality until a patch is applied. [2, 4]