PT-2022-22879 · Wavlink · Wavlink Wn535G3+4
Published
2022-08-09
·
Updated
2023-08-08
·
CVE-2022-35517
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WAVLINK WN572HP3
WAVLINK WN533A8
WAVLINK WN530H4
WAVLINK WN535G3
WAVLINK WN531P3
Description
The issue concerns the lack of filtering on certain parameters in the adm.cgi file, specifically:
web pskValue, wl Method, wlan ssid, EncrypType, rwan ip, rwan mask, rwan gateway, ppp username, ppp passwd, and ppp setver. This omission leads to command injection in the /wizard router mesh.shtml page.Recommendations
For WAVLINK WN572HP3, update the firmware to remove the vulnerability in the adm.cgi file.
For WAVLINK WN533A8, update the firmware to remove the vulnerability in the adm.cgi file.
For WAVLINK WN530H4, update the firmware to remove the vulnerability in the adm.cgi file.
For WAVLINK WN535G3, update the firmware to remove the vulnerability in the adm.cgi file.
For WAVLINK WN531P3, update the firmware to remove the vulnerability in the adm.cgi file.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Wavlink Wn530H4
Wavlink Wn531P3
Wavlink Wn533A8
Wavlink Wn535G3
Wavlink Wn572Hp3