CVE-2022-35526

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions WAVLINK WN572HP3 WAVLINK WN533A8 WAVLINK WN530H4 WAVLINK WN535G3 WAVLINK WN531P3

Description The issue is related to the login.cgi, which has no filtering on the key parameter, leading to command injection in the /login.shtml page.

Recommendations For WAVLINK WN572HP3, update the firmware to remove the vulnerability in the login.cgi. For WAVLINK WN533A8, update the firmware to remove the vulnerability in the login.cgi. For WAVLINK WN530H4, update the firmware to remove the vulnerability in the login.cgi. For WAVLINK WN535G3, update the firmware to remove the vulnerability in the login.cgi. For WAVLINK WN531P3, update the firmware to remove the vulnerability in the login.cgi. As a temporary workaround, consider restricting access to the login.cgi and the /login.shtml page until a patch is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2022-35526

Affected Products

Wavlink Wn530H4

Wavlink Wn531P3

Wavlink Wn533A8

Wavlink Wn535G3

Wavlink Wn572Hp3

CVE-2022-35526

Related Identifiers

Affected Products

References · 3