CVE-2022-45899
OS Command Injection in Nokia BMC
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nokia | broadcast_message_center | to 13.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Nokia Broadcast Message Center (BMC) Log Scanner web application has a critical vulnerability that allows an unauthenticated remote attacker to perform OS command injection as the root user.
This happens because the application does not properly validate input in the Search Pattern field, allowing attackers to inject shell metacharacters and execute arbitrary commands on the server.
For example, an attacker could inject commands like ";id" or ";cat /etc/shadow" to execute system commands with root privileges.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker to execute arbitrary commands on the affected system with root privileges without any authentication.
An attacker could gain full control over the system, access sensitive data, modify or delete files, disrupt services, or use the compromised system as a foothold to attack other parts of the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the Nokia Broadcast Message Center Log Scanner web application for command injection in the Search Pattern field.
An example command to test for this vulnerability is to inject shell metacharacters such as ";id" or ";cat /etc/shadow" into the Search Pattern field and observe if the commands are executed.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Nokia Broadcast Message Center application to version 13.1 or later, where this vulnerability has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.