Cyber Resilience

CVE-2022-35518

CriticalPublic PoCRCE

Published: 10 August 2022

Published
10 August 2022
Modified
20 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0387 88.5th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-35518 is a critical-severity Command Injection (CWE-77) vulnerability in Wavlink Wn572Hp3 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-35518 is a command-injection vulnerability affecting the nas.cgi component on several WAVLINK router models, specifically WN572HP3, WN533A8, WN530H4, WN535G3, and WN531P3. The root cause is missing input filtering on the User1Passwd and User1 parameters, which allows arbitrary commands to be executed when the /nas_disk.shtml page is accessed.

An unauthenticated attacker with network access can supply crafted values for these parameters to inject and run operating-system commands. Successful exploitation yields full control over the affected device, resulting in complete loss of confidentiality, integrity, and availability as reflected in the CVSS 9.8 rating.

The two reference URLs point to a public repository documenting the issue but contain no information about vendor patches, firmware updates, or recommended mitigations.

The associated EPSS score rose from a low baseline to a peak of 0.0876 on 2025-01-22 before receding to its current value of 0.0387, indicating that exploitation interest increased well after the original disclosure.

EU & UK References

Vulnerability details

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 nas.cgi has no filtering on parameters: User1Passwd and User1, which leads to command injection in page /nas_disk.shtml.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wavlink
wn572hp3 firmware
all versions
wavlink
wn533a8 firmware
all versions
wavlink
wn530h4 firmware
all versions
wavlink
wn535g3 firmware
all versions
wavlink
wn531p3 firmware
all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References