Cyber Resilience

CVE-2022-35536

CriticalPublic PoC

Published: 10 August 2022

Published
10 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0187 83.5th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-35536 is a critical-severity an unspecified weakness vulnerability in Wavlink Wn572Hp3 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 16.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-35536 affects the qos.cgi component in WAVLINK router models WN572HP3, WN533A8, WN530H4, WN535G3, and WN531P3. The CGI script performs no input filtering on the qos_bandwith and qos_dat parameters, enabling command injection when the /qos.shtml page is accessed.

An unauthenticated remote attacker can supply crafted values for these parameters over the network to execute arbitrary commands on the device. The vulnerability carries a CVSS 3.1 score of 9.8, reflecting full confidentiality, integrity, and availability impact without requiring authentication or user interaction.

The two provided references consist of GitHub repositories that document the command-injection flaw but contain no information on vendor patches, firmware updates, or other mitigations.

EPSS for the CVE rose from a low baseline to a peak of 0.0876 on 2025-01-22 before receding to its current value of 0.0187.

EU & UK References

Vulnerability details

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 qos.cgi has no filtering on parameters: qos_bandwith and qos_dat, which leads to command injection in page /qos.shtml.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wavlink
wn572hp3 firmware
all versions
wavlink
wn533a8 firmware
all versions
wavlink
wn530h4 firmware
all versions
wavlink
wn535g3 firmware
all versions
wavlink
wn531p3 firmware
all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References