CVE-2022-45899
Awaiting Analysis Awaiting Analysis - Queue
OS Command Injection in Nokia BMC

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: MITRE

Description
Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as root via shell metacharacters in the Log Scanner Search Pattern field.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2022-45899
EUVD
EUVD-2022-48746
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nokia broadcast_message_center to 13.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The Nokia Broadcast Message Center (BMC) Log Scanner web application has a critical vulnerability that allows an unauthenticated remote attacker to perform OS command injection as the root user.

This happens because the application does not properly validate input in the Search Pattern field, allowing attackers to inject shell metacharacters and execute arbitrary commands on the server.

For example, an attacker could inject commands like ";id" or ";cat /etc/shadow" to execute system commands with root privileges.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to execute arbitrary commands on the affected system with root privileges without any authentication.

An attacker could gain full control over the system, access sensitive data, modify or delete files, disrupt services, or use the compromised system as a foothold to attack other parts of the network.

Detection Guidance

This vulnerability can be detected by testing the Nokia Broadcast Message Center Log Scanner web application for command injection in the Search Pattern field.

An example command to test for this vulnerability is to inject shell metacharacters such as ";id" or ";cat /etc/shadow" into the Search Pattern field and observe if the commands are executed.

Mitigation Strategies

The immediate mitigation step is to upgrade the Nokia Broadcast Message Center application to version 13.1 or later, where this vulnerability has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-45899. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart