CVE-2022-35520
Published: 10 August 2022
Summary
CVE-2022-35520 is a critical-severity an unspecified weakness vulnerability in Wavlink Wn572Hp3 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-35520 affects multiple WAVLINK router models including WN572HP3, WN533A8, WN530H4, WN535G3, and WN531P3. The api.cgi endpoint accepts an unfiltered ufconf parameter that does not appear in normal POST requests yet exists in the compiled CGI binary; supplying attacker-controlled input to this hidden parameter on the /ledonoff.shtml page results in unauthenticated command injection.
An attacker with network access can send a crafted request that bypasses any visible form validation and executes arbitrary commands on the device. Successful exploitation grants full control over the router, enabling actions consistent with the CVSS 9.8 rating of complete confidentiality, integrity, and availability impact without requiring authentication or user interaction.
Public references consist of technical write-ups hosted on GitHub that document the hidden parameter and reproduction steps; no vendor advisory or firmware patch information is referenced in the available sources.
EPSS scores for the vulnerability rose from a low baseline to a recorded peak of 0.0876, indicating measurable post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-38407
Vulnerability details
WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 api.cgi has no filtering on parameter ufconf, and this is a hidden parameter which doesn't appear in POST body, but exist in cgi binary. This leads to command injection in page /ledonoff.shtml.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.