CVE-2022-35555
Published: 12 August 2022
Summary
CVE-2022-35555 is a critical-severity OS Command Injection (CWE-78) vulnerability in Tenda W6 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A command injection vulnerability exists in the /goform/exeCommand endpoint of Tenda W6 firmware version V1.0.0.9(4122). The flaw, tracked as CWE-78, permits an attacker to supply crafted cmdinput parameters that result in arbitrary operating-system command execution. The issue carries a CVSS 3.1 base score of 9.8, reflecting network accessibility without authentication or user interaction.
Unauthenticated remote attackers can send a single HTTP request to the affected endpoint and obtain full control over the device, including the ability to read or modify configuration, exfiltrate data, or pivot to adjacent network hosts. Because the router exposes the management interface by default, exploitation requires only network reachability to the WAN or LAN IP address.
Public proof-of-concept code has been posted to GitHub, yet the EPSS score remains low and stable (current 0.0763, peak 0.0788), indicating limited observed exploitation activity since disclosure. No vendor advisory or firmware update is referenced in available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-38441
Vulnerability details
A command injection vulnerability exists in /goform/exeCommand in Tenda W6 V1.0.0.9(4122), which allows attackers to construct cmdinput parameters for arbitrary command execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.