Security researcher Yerodin Richards has found an authenticated remote code execution vulnerability in Arris routers. ISPs typically provide these routers in loan for customers’ telephony and internet access. In a bizarre twist, he used the verification against itself to demonstrate the vulnerability.
The Arris router exploit allows a hacker to remotely access the device, says Richards. The bug is found in older TG2482A, TG2492, and SBG10 models, which can be commonly found in the Caribbean and Latin America. Richards says Arris told him it no longer supports the devices.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. CVE-2022-45701 is a newly discovered issue. When testing for shell script command injection, the researcher found that $ is accepted by the web application. That was promising, but when paired into $( , it was neutralized. This implies that the developer was intentionally trying to prevent this attack vector.