CVE-2022-35520

Name of the Vulnerable Software and Affected Versions WAVLINK WN572HP3 WAVLINK WN533A8 WAVLINK WN530H4 WAVLINK WN535G3 WAVLINK WN531P3

Description The issue affects the api.cgi component, where a lack of filtering on the ufconf parameter leads to command injection. This ufconf parameter is hidden and does not appear in the POST body but exists in the cgi binary. The command injection vulnerability is specifically found in the /ledonoff.shtml page.

Recommendations For WAVLINK WN572HP3, consider disabling access to the /ledonoff.shtml page until a patch is available. For WAVLINK WN533A8, restrict the use of the ufconf parameter in the api.cgi component to minimize the risk of exploitation. For WAVLINK WN530H4, avoid using the api.cgi component until the issue is resolved. For WAVLINK WN535G3, restrict access to the api.cgi component to prevent command injection. For WAVLINK WN531P3, consider disabling the api.cgi component until a fix is provided.