CVE-2022-43390
CVE-2022-43390 is a medium-severity vulnerability in Zyxel Lte7480-m804 Firmware with a CVSS 3.x base score of 5.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-78.
Key facts
- Severity: Medium (CVSS 3.x base score 5.4)
- EPSS exploit prediction: 1% (61st percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-78
- Affected product: Zyxel Lte7480-m804 Firmware
- Published:
- Last modified:
Description
A command injection vulnerability in the CGI program of Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an authenticated attacker to execute some OS commands on a vulnerable device by sending a crafted HTTP request.
Frequently asked questions
- What is CVE-2022-43390?
- A command injection vulnerability in the CGI program of Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an authenticated attacker to execute some OS commands on a vulnerable device by sending a crafted HTTP request.
- How severe is CVE-2022-43390?
- CVE-2022-43390 has a CVSS 3.x base score of 5.4, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2022-43390 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (61st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-43390?
- CVE-2022-43390 primarily affects Zyxel Lte7480-m804 Firmware. In total, 39 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-43390?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2022-43390 published?
- CVE-2022-43390 was published on 2023-01-11 and last updated on 2026-06-17.
References
Affected products (39)
- cpe:2.3:o:zyxel:lte7480-m804_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:lte7490-m904_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:nebula_nr5101_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:nebula_nr7101_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:nr5101_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:nr7101_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:nr7102_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:dx3301-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:dx4510-b1_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:dx5401-b0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:emg3525-t50b_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:emg5523-t50b_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:emg5723-t50k_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex3301-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex3510-b0_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex5401-b0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex5501-b0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex5510-b0_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex5512-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex5600-t1_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex5601-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ex5601-t1_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:vmg3927-t50k_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:vmg4005-b50a_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:vmg4005-b60a_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:vmg8623-t50b_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:vmg8825-t50k_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:ax7501-b0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pm3100-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pm5100-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pm7300-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pm7320-b0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pmg5317-t20b_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pmg5617-t20b2_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pmg5617ga_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:pmg5622ga_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:wx3100-t0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:wx3401-b0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:wx5600-t0_firmware:-:*:*:*:*:*:*:*
More vulnerabilities in Zyxel Lte7480-m804 Firmware
- CVE-2022-43389 — High (CVSS 8.6): A buffer overflow vulnerability in the library of the web server in Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0,…
- CVE-2024-8748 — High (CVSS 7.5): A buffer overflow vulnerability in the packet parser of the third-party library "libclinkc" in Zyxel VMG8825-T50K…
- CVE-2023-27989 — Medium (CVSS 6.5): A buffer overflow vulnerability in the CGI program of the Zyxel NR7101 firmware versions prior to V1.00(ABUV.8)C0…
- CVE-2022-43392 — Medium (CVSS 6.5): A buffer overflow vulnerability in the parameter of web server in Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0, which…
- CVE-2022-43391 — Medium (CVSS 6.5): A buffer overflow vulnerability in the parameter of the CGI program in Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0,…
- CVE-2021-35036 — Medium (CVSS 6.5): A cleartext storage of information vulnerability in the Zyxel VMG3625-T50B firmware version V5.50(ABTL.0)b2k could…
All CVEs affecting Zyxel Lte7480-m804 Firmware →
Other CWE-78 (OS Command Injection) vulnerabilities
- CVE-2026-56004 — Critical (CVSS 10.0): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by…
- CVE-2026-56415 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is…
- CVE-2026-56413 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens…
- CVE-2026-49869 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in…
- CVE-2026-49261 — Critical (CVSS 10.0): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through…
- CVE-2026-10520 — Critical (CVSS 10.0): An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a…