Cyber Resilience

CVE-2022-35555

CriticalPublic PoCRCE

Published: 12 August 2022

Published
12 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0763 92.1th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-35555 is a critical-severity OS Command Injection (CWE-78) vulnerability in Tenda W6 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A command injection vulnerability exists in the /goform/exeCommand endpoint of Tenda W6 firmware version V1.0.0.9(4122). The flaw, tracked as CWE-78, permits an attacker to supply crafted cmdinput parameters that result in arbitrary operating-system command execution. The issue carries a CVSS 3.1 base score of 9.8, reflecting network accessibility without authentication or user interaction.

Unauthenticated remote attackers can send a single HTTP request to the affected endpoint and obtain full control over the device, including the ability to read or modify configuration, exfiltrate data, or pivot to adjacent network hosts. Because the router exposes the management interface by default, exploitation requires only network reachability to the WAN or LAN IP address.

Public proof-of-concept code has been posted to GitHub, yet the EPSS score remains low and stable (current 0.0763, peak 0.0788), indicating limited observed exploitation activity since disclosure. No vendor advisory or firmware update is referenced in available sources.

EU & UK References

Vulnerability details

A command injection vulnerability exists in /goform/exeCommand in Tenda W6 V1.0.0.9(4122), which allows attackers to construct cmdinput parameters for arbitrary command execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tenda
w6 firmware
1.0.0.9\(4122\)

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References