Cyber Resilience

CVE-2022-2486

HighPublic PoC

Published: 20 July 2022

Published
20 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9012 99.6th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2486 is a high-severity OS Command Injection (CWE-78) vulnerability in Wavlink Wl-Wn535K2 Firmware. Its CVSS base score is 8.0 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A critical OS command injection vulnerability exists in the WAVLINK WN535K2 and WN535K3 devices, specifically within the /cgi-bin/mesh.cgi?page=upgrade endpoint. The flaw, tracked as CVE-2022-2486 and assigned CWE-78, arises from insufficient sanitization of the "key" parameter, allowing arbitrary command execution. It carries a CVSS 3.1 score of 8.0 reflecting adjacent-network access, low attack complexity, and low privileges required for successful exploitation with high impact on confidentiality, integrity, and availability.

An attacker positioned on the same network segment who can reach the affected CGI script can supply a malicious "key" value to inject and execute operating-system commands. This grants the ability to compromise device configuration, exfiltrate data, or disrupt service without user interaction. Public exploit code has already been released, enabling straightforward reproduction of the attack.

The EPSS score has reached a current value of 0.9012 with a recorded peak of 0.9733, indicating sustained and substantial exploitation interest following disclosure. No vendor advisory or patch information is referenced in the available sources.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade. The manipulation of the argument key leads to os command injection. The exploit has been disclosed to…

more

the public and may be used.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wavlink
wl-wn535k2 firmware
all versions
wavlink
wl-wn535k3 firmware
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References