Details of VAR-202211-1978

ID

VAR-202211-1978

CVE

CVE-2022-44252

TITLE

TOTOLINK of lr350 in the firmware OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-021448

DESCRIPTION

TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the FileName parameter in the setUploadSetting function. TOTOLINK of lr350 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The TOTOLINK NR1800X is a 5G NR indoor Wi-Fi and SIP CPE (broadband access equipment) launched by China's TOTOLINK Electronics. It is primarily designed for deploying NR fixed data services in homes and offices and supports 5G NR network connectivity. An attacker could exploit this vulnerability to cause remote code execution

Trust: 2.16

sources: NVD: CVE-2022-44252 // JVNDB: JVNDB-2022-021448 // CNVD: CNVD-2025-21010

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-21010

AFFECTED PRODUCTS

vendor:	totolink	model:	lr350	scope:	eq	version:	9.3.5u.6369_b20220309	Trust: 1.0
vendor:	totolink	model:	lr350	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	lr350	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	lr350	scope:	eq	version:	lr350 firmware 9.3.5u.6369 b20220309	Trust: 0.8
vendor:	totolink	model:	nr1800x 9.1.0u.6279 b20210910	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-21010 // JVNDB: JVNDB-2022-021448 // NVD: CVE-2022-44252

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-44252
value:	CRITICAL
Trust: 1.0
134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2022-44252
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2022-44252
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2025-21010
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202211-3378
value:	CRITICAL
Trust: 0.6

CNVD:	CNVD-2025-21010
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-44252
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2022-44252
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-21010 // CNNVD: CNNVD-202211-3378 // JVNDB: JVNDB-2022-021448 // NVD: CVE-2022-44252 // NVD: CVE-2022-44252

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-021448 // NVD: CVE-2022-44252

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202211-3378

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202211-3378

EXTERNAL IDS

db:	NVD	id:	CVE-2022-44252	Trust: 3.8
db:	JVNDB	id:	JVNDB-2022-021448	Trust: 0.8
db:	CNVD	id:	CNVD-2025-21010	Trust: 0.6
db:	CNNVD	id:	CNNVD-202211-3378	Trust: 0.6

sources: CNVD: CNVD-2025-21010 // CNNVD: CNNVD-202211-3378 // JVNDB: JVNDB-2022-021448 // NVD: CVE-2022-44252

REFERENCES

url:	https://brief-nymphea-813.notion.site/lr350-command-injection-setuploadsetting-b6d3012a3c2f43adac79c44edd57c937	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-44252	Trust: 1.4
url:	https://cxsecurity.com/cveshow/cve-2022-44252/	Trust: 0.6

sources: CNVD: CNVD-2025-21010 // CNNVD: CNNVD-202211-3378 // JVNDB: JVNDB-2022-021448 // NVD: CVE-2022-44252

SOURCES

db:	CNVD	id:	CNVD-2025-21010
db:	CNNVD	id:	CNNVD-202211-3378
db:	JVNDB	id:	JVNDB-2022-021448
db:	NVD	id:	CVE-2022-44252

LAST UPDATE DATE

2025-09-12T23:50:32.916000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-21010	date:	2025-09-11T00:00:00
db:	CNNVD	id:	CNNVD-202211-3378	date:	2022-11-28T00:00:00
db:	JVNDB	id:	JVNDB-2022-021448	date:	2023-11-10T08:16:00
db:	NVD	id:	CVE-2022-44252	date:	2025-04-25T21:15:35.187

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-21010	date:	2025-09-10T00:00:00
db:	CNNVD	id:	CNNVD-202211-3378	date:	2022-11-23T00:00:00
db:	JVNDB	id:	JVNDB-2022-021448	date:	2023-11-10T00:00:00
db:	NVD	id:	CVE-2022-44252	date:	2022-11-23T16:15:10.627