CVE-2022-35534
Published: 10 August 2022
Summary
CVE-2022-35534 is a critical-severity an unspecified weakness vulnerability in Wavlink Wn572Hp3 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-35534 is a command-injection vulnerability in the wireless.cgi component of several WAVLINK wireless router models, specifically WN572HP3, WN533A8, WN530H4, WN535G3, and WN531P3. The flaw stems from missing input filtering on the hiddenSSID32g and SSID2G2 parameters, which are processed when the device renders the /wifi_multi_ssid.shtml page.
An unauthenticated attacker with network access can supply crafted values for these parameters to execute arbitrary operating-system commands on the device. Successful exploitation yields full control over the router, allowing confidentiality, integrity, and availability impacts consistent with the CVSS 9.8 rating.
Public references consist of technical write-ups hosted on GitHub that document the injection vectors; no vendor advisories or firmware patches are referenced in the available sources. The associated EPSS score reached a peak of 0.0876 before settling at 0.0503, indicating modest post-disclosure interest without evidence of widespread exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-38421
Vulnerability details
WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameter hiddenSSID32g and SSID2G2, which leads to command injection in page /wifi_multi_ssid.shtml.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.