CVE-2022-26941: Format string vulnerability in AT+CTGL command in Motorola MTM5000
First published: Thu Oct 19 2023(Updated: )
A format string vulnerability exists in Motorola MTM5000 series firmware AT command handler for the AT+CTGL command. An attacker-controllable string is improperly handled, allowing for a write-anything-anywhere scenario. This can be leveraged to obtain arbitrary code execution inside the teds_app binary, which runs with root privileges.
Credit: cert@ncsc.nl cert@ncsc.nl
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Motorola Mtm5500 Firmware | ||
| Motorola Mtm5500 | ||
| Motorola Mtm5400 Firmware | ||
| Motorola Mtm5400 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2022-26941.
What is the severity of CVE-2022-26941?
The severity of CVE-2022-26941 is critical with a score of 9.6.
What is the affected software in this vulnerability?
The affected software in this vulnerability is Motorola Mtm5500 Firmware and Motorola Mtm5400 Firmware.
What is the CWE ID for this vulnerability?
The CWE ID for this vulnerability is CWE-134.
Is there a fix available for CVE-2022-26941?
At the moment, there is no information about a fix available for CVE-2022-26941. Please refer to the vendor's security advisory for updates.
- collector/nvd-index
- collector/nvd-api
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/references
- agent/title
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- vendor/motorola
- canonical/motorola mtm5500 firmware
- canonical/motorola mtm5500
- canonical/motorola mtm5400 firmware
- canonical/motorola mtm5400