SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Remote Code Execution via upload.cgi

Advisories

severity: critical
date: December 30, 2025
Affecting: Impact/Pulse/First Version 2: 1.1/2.15
Impact/Pulse Eco 1.16
BigVoice4 1.2
BigVoice2 1.30
Stream 1.1/2.4.29
WM2 1.11
CVE: CVE-2022-50796
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Zero Science Lab Disclosure (ZSL-2022-5741)
Packet Storm Security Exploit Details
IBM X-Force Vulnerability Exchange Entry
SOUND4 Product Homepage
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an unauthenticated remote code execution vulnerability in the firmware upload functionality with path traversal flaw. Attackers can exploit the upload.cgi script to write malicious files to the system with www-data permissions, enabling unauthorized access and code execution.