CVE-2022-26872

CVE-2022-26872 is a software vulnerability that allows an attacker to reset a password if they can time the attack during a narrow window between when a one-time password is validated and when the new password is sent by the user. This flaw in software design or implementation was revealed by security researchers in January 2023, alongside another vulnerability, CVE-2022-40258. Both of these vulnerabilities were part of a set of bugs affecting AMI MegaRAC BMCs, collectively referred to as BMC&C. Prior to the discovery of CVE-2022-26872, other vulnerabilities within the BMC&C set had been disclosed in December 2022. These included CVE-2022-40259, CVE-2022-40242, and CVE-2022-2827. All these vulnerabilities were revealed by a firmware security company and reported on The Hacker News website. They represent a series of flaws within the AMI MegaRAC BMCs that have posed significant security risks. In conclusion, CVE-2022-26872 is a critical vulnerability that exposes systems to potential unauthorized access. It forms part of a larger group of bugs impacting AMI MegaRAC BMCs, which were disclosed between December 2022 and February 2023. The continual discovery of such vulnerabilities underscores the need for rigorous security practices and regular updates to protect against potential exploits.