CVE-2022-45899: Nokia BMC Unauthenticated RCE Vulnerability

CVE-2022-45899 Overview

CVE-2022-45899 is an OS command injection vulnerability affecting Nokia Broadcast Message Center (BMC) versions before 13.1. The flaw resides in the Log Scanner Search Pattern field, which fails to sanitize shell metacharacters before passing input to the underlying operating system. An unauthenticated remote attacker can inject arbitrary commands that execute with root privileges on the host. The vulnerability is classified under CWE-78, Improper Neutralization of Special Elements used in an OS Command.

Critical Impact

Unauthenticated remote attackers can execute arbitrary operating system commands as root on the BMC host, enabling full compromise of telecommunications messaging infrastructure.

Affected Products

• Nokia Broadcast Message Center (BMC) versions prior to 13.1
• Deployments exposing the Log Scanner interface to untrusted networks
• Telecommunications environments running vulnerable BMC builds

Discovery Timeline

• 2026-05-08 - CVE-2022-45899 published to NVD
• 2026-05-08 - Last updated in NVD database

Technical Details for CVE-2022-45899

Vulnerability Analysis

The Nokia Broadcast Message Center exposes a Log Scanner feature that accepts a user-supplied Search Pattern parameter. The application concatenates this input directly into a shell command without input validation or argument escaping. Shell metacharacters such as ;, |, &, backticks, and $() break out of the intended command context and introduce attacker-controlled commands.

Because the BMC log scanning process runs as root, injected commands inherit superuser privileges. An attacker can read sensitive subscriber data, modify message routing logic, install persistence mechanisms, or pivot deeper into the telecom operator network. No authentication is required to reach the vulnerable endpoint over the network.

Root Cause

The defect is a textbook [CWE-78] OS command injection. The Log Scanner Search Pattern field is passed to a shell interpreter rather than executed with a safe API such as execve with separated arguments. The application also lacks an allow-list of permitted characters and does not enforce authentication on the affected endpoint.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker submits a crafted Search Pattern containing shell metacharacters followed by an arbitrary command payload. The payload executes in the context of the BMC service account, which holds root permissions. A public proof-of-concept is referenced in Exploit-DB #51896.

A representative payload injects a command separator into the search field, causing the shell to interpret subsequent text as a new command. For example, supplying a pattern that includes ; followed by a shell command results in execution of both the legitimate search and the injected command.

Detection Methods for CVE-2022-45899

Indicators of Compromise

• Unexpected child processes spawned by the BMC Log Scanner service, particularly shells such as /bin/sh or /bin/bash.
• Outbound network connections from the BMC host to unfamiliar IP addresses or domains immediately following Log Scanner activity.
• Presence of shell metacharacters (;, |, &, `, $() inside Log Scanner audit logs or HTTP request logs.
• New files in /tmp, /var/tmp, or user home directories owned by root and created during scanner activity.

Detection Strategies

• Inspect HTTP request bodies and query strings to the BMC management interface for shell metacharacters in the Search Pattern parameter.
• Correlate Log Scanner invocations with process creation events that produce non-standard children of the scanner binary.
• Hunt for root-owned reverse shells, curl, wget, or nc invocations originating from the BMC application process tree.

Monitoring Recommendations

• Forward BMC application, web server, and Linux audit logs to a central analytics platform for correlation.
• Alert on any unauthenticated request to the Log Scanner endpoint from outside the operations management network.
• Baseline the normal process tree of the BMC service and alert on deviations, particularly shell or interpreter execution.

How to Mitigate CVE-2022-45899

Immediate Actions Required

• Upgrade Nokia Broadcast Message Center to version 13.1 or later as supplied by Nokia.
• Restrict network access to the BMC management interface to trusted administration subnets only.
• Audit BMC hosts for prior exploitation by reviewing process execution and file creation history.
• Rotate credentials, keys, and certificates stored on BMC hosts that may have been exposed.

Patch Information

Nokia addresses the vulnerability in Broadcast Message Center version 13.1. Operators should obtain the fixed release through the Nokia support portal and follow the vendor upgrade procedure. Refer to the Nokia Official Website for support contact details. Technical context for the issue is documented in Exploit-DB #51896.

Workarounds

• Place the BMC management interface behind a VPN or jump host that enforces strong authentication.
• Apply network ACLs that block direct access to the Log Scanner endpoint from any non-administrative network.
• Deploy a web application firewall rule that rejects requests containing shell metacharacters in the Search Pattern parameter.
• Run the BMC service under a non-privileged account where supported by the vendor, reducing the impact of successful injection.