Cyber Resilience

CVE-2022-34576

HighPublic PoC

Published: 25 July 2022

Published
25 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.3776 97.3th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-34576 is a high-severity an unspecified weakness vulnerability in Wavlink Wn535G3 Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A vulnerability exists in the /cgi-bin/ExportAllSettings.sh endpoint of the WAVLINK WN535 G3 router running firmware M35G3R.V5030.180927. The flaw permits remote attackers to execute arbitrary code by submitting a specially crafted POST request to the device.

The affected component is reachable over the network without authentication or user interaction. Successful exploitation yields high confidentiality impact while leaving integrity and availability unaffected, enabling an unauthenticated attacker to obtain sensitive information from the device.

The two referenced GitHub reports describe the issue as sensitive information leakage rather than code execution and contain no vendor advisories, patch details, or mitigation guidance.

The EPSS score has remained flat at its recorded peak of 0.3776 with no material upward trajectory after disclosure.

EU & UK References

Vulnerability details

A vulnerability in /cgi-bin/ExportAllSettings.sh of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to execute arbitrary code via a crafted POST request.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wavlink
wn535g3 firmware
m35g3r.v5030.180927

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References