CVE-2022-50794
Severity CVSS v4.0:
CRITICAL
Type:
CWE-78
OS Command Injections
Publication date:
30/12/2025
Last modified:
13/01/2026
Description
SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated command injection vulnerability in the username parameter. Attackers can exploit index.php and login.php scripts by injecting arbitrary shell commands through the HTTP POST 'username' parameter to execute system commands.
Impact
Base Score 4.0
9.30
Severity 4.0
CRITICAL
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:sound4:impact_firmware:2.15:*:*:*:*:*:*:* | ||
| cpe:2.3:h:sound4:impact:2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:sound4:impact_firmware:1.69:*:*:*:*:*:*:* | ||
| cpe:2.3:h:sound4:impact:1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:sound4:pulse_firmware:2.15:*:*:*:*:*:*:* | ||
| cpe:2.3:h:sound4:pulse:2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:sound4:pulse_firmware:1.69:*:*:*:*:*:*:* | ||
| cpe:2.3:h:sound4:pulse:1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:sound4:first_firmware:2.15:*:*:*:*:*:*:* | ||
| cpe:2.3:h:sound4:first:2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:sound4:first_firmware:1.69:*:*:*:*:*:*:* | ||
| cpe:2.3:h:sound4:first:1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:sound4:impact_eco_firmware:1.16:*:*:*:*:*:*:* | ||
| cpe:2.3:h:sound4:impact_eco:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:sound4:pulse_eco_firmware:1.16:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://exchange.xforce.ibmcloud.com/vulnerabilities/247914
- https://packetstormsecurity.com/files/170266/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-username-Command-Injection.html
- https://www.sound4.com/
- https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-unauthenticated-command-injection-via-username
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5739.php