CVE-2022-26581

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-26581
PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an unauthorized attacker to perform privileged actions through the execution of specific binaries listed in ADB daemon. The attacker must have physical USB access to the device in order to exploit this vulnerability.

6.8 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c Third Party Advisory
https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26581.md
https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:paxtechnology:paydroid:7.1.1_virgo_v04.3.26t1_20210419:*:*:*:*:*:*:*
cpe:2.3:h:paxtechnology:a930:-:*:*:*:*:*:*:*
History

23 Apr 2024, 14:15

Type Values Removed Values Added
References
  • () https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/ -
Summary
  • (es) El dispositivo PAX A930 con PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 puede permitir que un atacante no autorizado realice acciones privilegiadas mediante la ejecución de archivos binarios específicos enumerados en el daemon ADB. El atacante debe tener acceso USB físico al dispositivo para poder aprovechar esta vulnerabilidad.

08 Aug 2023, 14:22

Type Values Removed Values Added
CWE NVD-CWE-Other

01 Mar 2023, 00:15

Type Values Removed Values Added
References
  • (MISC) https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26581.md -
Summary The ADB daemon in PAX Technology A930 PayDroid 7.1.1 Virgo V04.4.02 20211201 allows the execution of the systool utility in production mode, allowing unauthenticated attackers to perform privileged actions. PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an unauthorized attacker to perform privileged actions through the execution of specific binaries listed in ADB daemon. The attacker must have physical USB access to the device in order to exploit this vulnerability.

22 Dec 2022, 16:10

Type Values Removed Values Added
CWE CWE-862
References (MISC) https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c - (MISC) https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c - Third Party Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.8
First Time Paxtechnology
Paxtechnology paydroid
Paxtechnology a930
CPE cpe:2.3:h:paxtechnology:a930:-:*:*:*:*:*:*:*
cpe:2.3:o:paxtechnology:paydroid:7.1.1_virgo_v04.3.26t1_20210419:*:*:*:*:*:*:*

16 Dec 2022, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2022-12-16 22:15

Updated : 2024-04-23 14:15

NVD link : CVE-2022-26581

Mitre link : CVE-2022-26581

CVE.ORG link : CVE-2022-26581

JSON object : View

Products Affected

paxtechnology

  • a930
  • paydroid
CWE
CWE-862

Missing Authorization

NVD-CWE-Other