External risk intelligence

Device Management REST API OS Command Injection

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-22313

A critical vulnerability exists in a device's web server REST API, allowing authenticated attackers to execute arbitrary commands with administrative privileges. While this flaw could lead to a complete system compromise, it is currently classified as unlikely to be externally exploitable as it resides on a management

2Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-22313

The vulnerability resides in a web server REST API specifically designated for use on a management network. Management interfaces are typically isolated from the public internet by internal controls and network segmentation, making direct public exposure uncommon in standard deployment patterns.

PCI scan relevance

PCI Relevance for CVE-2026-22313

Yes

CVE-2026-22313 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This OS command injection vulnerability allows authenticated attackers to run arbitrary commands with administrative permissions, potentially causing a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in a device's web server, specifically within its REST API. This issue allows an authenticated attacker to execute arbitrary commands with administrative privileges on the device. The primary concern is confirming if this specific device and its management network are exposed in a way that attackers could exploit.

Command injection allows full device control.
Critical control flaw impacts sensitive devices.
Confirm relevance and exposure to management networks.

Attack Path

How an attacker could exploit the issue

An attacker who gains authenticated access to the device's management network could interact with a web server's REST API. By sending specially crafted commands to this API, the attacker can exploit an operating system command injection flaw. This allows them to execute arbitrary commands on the device with the highest level of administrative privileges, potentially leading to a complete compromise of the system.

Authenticated access to the management network.
Sending commands to the REST API.
Arbitrary command execution with admin rights.

Live Threat

Current exploitation, exposure, and threat context

An authenticated attacker with administrative privileges could execute arbitrary commands on the device's operating system when supported by the advisory. This vulnerability affects the device's web server REST API, which is authenticated via a token and exposed on the management network.

Device operating system and data.
Via authenticated REST API commands.
Complete system compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects devices with a web server and REST API accessible on a management network. The first step is to identify all such devices, confirm their reachability from less secure network segments, and determine their business criticality. Once identified, the accountable owner, likely an infrastructure or platform team, must be engaged to plan remediation.

Infrastructure or platform teams own this.
Verify reachability and business criticality first.
Plan remediation based on risk and ownership.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the software component affected by CVE-2026-22313?

This CVE affects the built-in web server within the device. This web server hosts a REST API used for device management, which administrators typically access to configure or monitor system operations via the management network.

How does this OS command injection vulnerability work?

The issue is classified as CWE-78, or Improper Neutralization of Special Elements used in an OS Command. In simple terms, the API does not properly sanitize input, allowing an attacker to inject and execute their own system-level commands that the device then runs with administrative permissions.

What conditions are required to trigger this command injection?

An attacker must already have authenticated access to the management network and a valid token to interact with the REST API. Simply sending requests to the device without this specific authentication and network-level access will not trigger the vulnerability.

Is my device vulnerable if it is not on the public internet?

Halo Surface Signal notes that this REST API is designed for management networks, which are usually isolated. While this makes direct public internet exposure unlikely, you should still verify if your specific management network has unintended reachability or connections from less secure segments.

What are the first steps to address this device security issue?

Start by auditing your infrastructure to locate all devices running this management REST API. Once identified, confirm if these devices are accessible from unauthorized network zones and contact your infrastructure or platform teams to prioritize remediation based on the device's business criticality.

References

www.cvcn.gov.it/cvcn/cve/CVE-2026-22313

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.