Cyber Posture

CVE-2022-50909

HighPublic PoC

Published: 13 January 2026

Published
13 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 56.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. Attackers can exploit the insecure 'source' parameter by injecting commands that are executed with root privileges, enabling…

more

remote code execution through a crafted POST request.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents command injection by validating and sanitizing the insecure 'source' parameter in the fm-data.lua endpoint.

SI-2 Flaw Remediation good match
prevent

Remediates the specific command injection vulnerability in Algo 8028 Control Panel version 3.3.3 via timely flaw patching and firmware updates.

AC-6 Least Privilege partial match
prevent

Mitigates impact of injected commands by enforcing least privilege to restrict execution from low-privilege authenticated users to root.

Security SummaryAI

CVE-2022-50909 is a command injection vulnerability (CWE-78) in Algo 8028 Control Panel version 3.3.3. The flaw exists in the fm-data.lua endpoint, where the insecure 'source' parameter enables authenticated attackers to inject arbitrary commands executed with root privileges. Exploitation occurs through a crafted POST request, leading to remote code execution. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with low privileges can exploit this issue over the network with low attack complexity and no user interaction. Successful exploitation allows remote code execution at the root level on the affected control panel, potentially enabling full system compromise, data theft, or further lateral movement within the environment.

Mitigation details are available through vendor resources and advisories. Algo Solutions provides firmware downloads for the 8028 device at https://www.algosolutions.com/firmware-downloads/8028-firmware-selection/. Additional guidance appears in the Vulncheck advisory at https://www.vulncheck.com/advisories/algo-control-panel-remote-code-execution-rce-authenticated, and a proof-of-concept exploit is published on Exploit-DB at https://www.exploit-db.com/exploits/50960.

Details

CWE(s)
CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in web endpoint allows low-privileged authenticated remote attackers to execute arbitrary OS commands as root, directly facilitating Exploitation for Privilege Escalation (T1068) and Command and Scripting Interpreter: Unix Shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References