CVE-2022-2486
Published: 20 July 2022
Summary
CVE-2022-2486 is a high-severity OS Command Injection (CWE-78) vulnerability in Wavlink Wl-Wn535K2 Firmware. Its CVSS base score is 8.0 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A critical OS command injection vulnerability exists in the WAVLINK WN535K2 and WN535K3 devices, specifically within the /cgi-bin/mesh.cgi?page=upgrade endpoint. The flaw, tracked as CVE-2022-2486 and assigned CWE-78, arises from insufficient sanitization of the "key" parameter, allowing arbitrary command execution. It carries a CVSS 3.1 score of 8.0 reflecting adjacent-network access, low attack complexity, and low privileges required for successful exploitation with high impact on confidentiality, integrity, and availability.
An attacker positioned on the same network segment who can reach the affected CGI script can supply a malicious "key" value to inject and execute operating-system commands. This grants the ability to compromise device configuration, exfiltrate data, or disrupt service without user interaction. Public exploit code has already been released, enabling straightforward reproduction of the attack.
The EPSS score has reached a current value of 0.9012 with a recorded peak of 0.9733, indicating sustained and substantial exploitation interest following disclosure. No vendor advisory or patch information is referenced in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-34745
Vulnerability details
A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade. The manipulation of the argument key leads to os command injection. The exploit has been disclosed to…
more
the public and may be used.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.