{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T21:38:20.009","vulnerabilities":[{"cve":{"id":"CVE-2022-25218","sourceIdentifier":"vulnreport@tenable.com","published":"2022-03-10T17:47:02.133","lastModified":"2024-11-21T06:51:49.603","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetd_startup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the \"plaintext\" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL's RSA_public_decrypt() function. This weakness allows the attacker to manipulate the various iterations of the telnetd startup state machine and eventually obtain a root shell on the device, by means of an exchange of crafted UDP packets. In all versions but K2 22.5.9.163 and K3C 32.1.15.93 a successful attack also requires the exploitation of a null-byte interaction error (CVE-2022-25219)."},{"lang":"es","value":"El uso del algoritmo RSA sin OAEP, o cualquier otro esquema de relleno, en telnetd_startup, permite a un atacante no autenticado en la red de área local lograr un grado significativo de control sobre \"texto plano\" al que un blob arbitrario de texto cifrado será descifrado por la función RSA_public_decrypt() de OpenSSL. Esta debilidad permite al atacante manipular las diversas iteraciones de la máquina de estado de inicio de telnetd y eventualmente obtener un shell de root en el dispositivo, mediante un intercambio de paquetes UDP diseñados. En todas las versiones excepto K2 22.5.9.163 y K3C 32.1.15.93 un ataque con éxito también requiere la explotación de un error de interacción de byte nulo (CVE-2022-25219)"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:C/I:C/A:C","baseScore":9.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"},"baseSeverity":"HIGH","exploitabilityScore":8.6,"impactScore":10.0,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-327"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:phicomm:k2_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"22.5.9.163","matchCriteriaId":"66980EB4-9FEC-451F-93F1-3E275CD6A462"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:phicomm:k2:-:*:*:*:*:*:*:*","matchCriteriaId":"26A205A0-3616-4CD9-A7B8-FEA63742ABE9"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:phicomm:k3_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"21.5.37.246","matchCriteriaId":"4C6D3940-9C77-4A8C-AD55-6857491B43B5"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:phicomm:k3:-:*:*:*:*:*:*:*","matchCriteriaId":"7FFD131E-E41A-44BD-81B5-A1A10E64D88B"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:phicomm:k3c_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"32.1.15.93","matchCriteriaId":"3319332E-25E6-4148-9A57-15FCF51C0413"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:phicomm:k3c:-:*:*:*:*:*:*:*","matchCriteriaId":"4D47C172-F2F6-451F-8891-D150DBBA181C"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:phicomm:k2g_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"22.6.3.20","matchCriteriaId":"D4737564-B92D-408E-81EC-598B76EE347F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:phicomm:k2g:-:*:*:*:*:*:*:*","matchCriteriaId":"1C8AE809-CB81-4CEB-B383-0461E3885892"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:phicomm:k2p_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"20.4.1.7","matchCriteriaId":"8CE04942-4274-4A96-95E4-4838AAAC09A2"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:phicomm:k2p:-:*:*:*:*:*:*:*","matchCriteriaId":"F80A65CA-B4F2-4912-B991-1D60869D5CB9"}]}]}],"references":[{"url":"https://www.tenable.com/security/research/tra-2022-01","source":"vulnreport@tenable.com","tags":["Exploit","Third Party Advisory"]},{"url":"https://www.tenable.com/security/research/tra-2022-01","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"]}]}}]}