Ricon Mobile Industrial Cellular Router

Act Now9.1ICS-CERT ICSA-22-032-01Feb 1, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Vulnerability in Ricon Mobile Industrial Cellular Router models S9922L and S9922XL (version 16.10.3) allows unauthenticated remote command injection. An attacker can execute arbitrary shell commands as an Admin user through the network interface. The vendor has not responded to CISA requests for a patch and no fix is currently available.

What this means

What could happen

An attacker on the network could execute commands on the router with administrative privileges, allowing them to manipulate network traffic, intercept communications, or disrupt connectivity for industrial equipment reliant on this cellular connection.

Who's at risk

Manufacturing facilities using Ricon Mobile cellular routers for remote equipment monitoring, process communications, or industrial IoT connectivity. This includes plants relying on the S9922L or S9922XL for reliable uptime of networked control systems or telemetry.

How it could be exploited

An attacker sends a specially crafted network request to the router's exposed interface. No authentication is required. The malicious payload is injected into a command-line execution path, allowing the attacker to run arbitrary shell commands with admin-level privileges on the device.

Prerequisites

Network access to the router's management interface (typically port 80/443 or similar)
No valid credentials required

remotely exploitableno authentication requiredlow complexityno patch availableaffects network backbone for industrial operations

Exploitability

Moderate exploit probability (EPSS 2.4%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

S9922L:16.10.3No fix (EOL)

S9922XL:16.10.3No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGMinimize network exposure of the Ricon router; ensure it is not reachable from the Internet or untrusted networks.

HARDENINGPlace the router behind a firewall and isolate it from the business/corporate network. Only allow necessary traffic from trusted control system devices.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGIf remote management access is required, use a VPN with strong authentication and keep it updated to the latest patched version.

WORKAROUNDContact Ricon Mobile customer support regularly to inquire about patch availability and replacement options.

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: S9922L:, S9922XL:. Apply the following compensating controls:

HARDENINGMonitor for suspicious network activity targeting the router and report any indicators to CISA.

CVEs (1)

CVE-2022-0365

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/27842512-0cae-4198-bbec-d867d99c6fb0