CVE-2022-50793

HighPublic PoC

Published: 30 December 2025

Published

30 December 2025

Modified

13 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0083 74.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an authenticated command injection vulnerability in the www-data-handler.php script that allows attackers to inject system commands through the 'services' POST parameter. Attackers can exploit this vulnerability by crafting malicious 'services' parameter values to execute arbitrary system…

commands with www-data user privileges.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the command injection by requiring validation and sanitization of the 'services' POST parameter in www-data-handler.php to block malicious inputs.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw in the vulnerable PHP script through timely identification, reporting, and patching of the CVE.

AC-6 Least Privilege partial match

prevent

Limits damage from injected commands by enforcing least privilege on the www-data user executing the arbitrary system commands.

Security SummaryAI

CVE-2022-50793 is an authenticated command injection vulnerability (CWE-78) in SOUND4 IMPACT, FIRST, PULSE, and Eco devices running versions <=2.x. The issue exists in the www-data-handler.php script, which processes the 'services' POST parameter without proper sanitization, enabling attackers to inject and execute arbitrary system commands with www-data user privileges.

Exploitation requires low-privileged authenticated access (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), as reflected in its CVSS v3.1 base score of 8.8 (High). Successful attacks allow remote command execution in a single-instance context (S:U), resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H).

Advisories from VulnCheck, Zero Science Lab, IBM X-Force Exchange, and Packet Storm Security detail the vulnerability, including proof-of-concept exploits, while the vendor site at sound4.com is referenced for potential updates or patches. Practitioners should consult these sources for mitigation guidance.

Details

CWE(s): CWE-78

Affected Products

sound4

impact firmware

1.69, 2.15

sound4

pulse firmware

1.69, 2.15

sound4

first firmware

1.69, 2.15

sound4

impact eco firmware

1.16

sound4

pulse eco firmware

1.16

sound4

big voice4 firmware

1.2

sound4

big voice2 firmware

1.30

sound4

wm2 firmware

1.11

sound4

stream extension

2.4.29

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is an authenticated command injection in a PHP script allowing arbitrary system command execution as www-data (Unix/Linux environment), directly enabling T1059.004: Unix Shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/247917
Third Party Advisory · disclosure@vulncheck.com
https://packetstormsecurity.com/files/170264/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-services-Command-Injection.html
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.sound4.com/
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-authenticated-command-injection-via-www-data-handlerphp
Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5737.php
Exploit, Third Party Advisory · disclosure@vulncheck.com