CVE-2022-50691

CriticalPublic PoC

Published: 30 December 2025

Published

30 December 2025

Modified

12 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0042 61.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

MiniDVBLinux 5.4 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands as root through the 'command' GET parameter. Attackers can exploit the /tpl/commands.sh endpoint by sending malicious command values to gain root-level system access.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by requiring validation of the unsanitized 'command' GET parameter at the /tpl/commands.sh endpoint.

SI-2 Flaw Remediation good match

prevent

Remediates the specific command execution flaw in MiniDVBLinux 5.4 through timely identification, reporting, and correction.

AC-3 Access Enforcement good match

prevent

Enforces access control policies to block unauthenticated remote access to the vulnerable /tpl/commands.sh endpoint.

Security SummaryAI

CVE-2022-50691 is a remote command execution vulnerability in MiniDVBLinux 5.4, classified under CWE-78 (OS Command Injection). The issue stems from the /tpl/commands.sh endpoint, which processes the 'command' GET parameter without proper sanitization, enabling attackers to inject and execute arbitrary commands.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no privileges or user interaction required, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows attackers to execute commands as root, resulting in complete system compromise with high impacts on confidentiality, integrity, and availability.

Advisories detailing the vulnerability, including potential mitigations, are available from sources such as VulnCheck (https://www.vulncheck.com/advisories/minidvblinux-remote-root-command-execution-via-commandssh), Zero Science Labs (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5718.php), and Packet Storm Security (https://packetstormsecurity.com/files/168749/).

Details

CWE(s): CWE-78

Affected Products

minidvblinux

5.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2022-50691 is an unauthenticated remote command injection vulnerability in a network-exposed web endpoint (/tpl/commands.sh), directly enabling exploitation of a public-facing application for arbitrary root command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://packetstormsecurity.com/files/168749/
Third Party Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/minidvblinux-remote-root-command-execution-via-commandssh
Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5718.php
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5718.php
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0