Cyber Resilience

CVE-2022-36553

CriticalRCE

Published: 29 August 2022

Published
29 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9361 99.8th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-36553 is a critical-severity Command Injection (CWE-77) vulnerability in Hytec Hwl-2511-Ss Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Hytec Inter HWL-2511-SS firmware versions 1.05 and earlier contain a command injection vulnerability in the /www/cgi-bin/popen.cgi component, tracked as CVE-2022-36553 and assigned CWE-77. The flaw received a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction, with full impacts to confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply crafted input to the affected CGI endpoint and execute arbitrary operating-system commands on the device. Successful exploitation grants complete control over the wireless LAN controller, enabling actions such as configuration changes, data exfiltration, or deployment of persistent malware.

The supplied references consist of a public gist containing technical details and vendor product pages; none of the listed URLs describe official patches, firmware updates, or mitigation steps. The associated EPSS score remains elevated, with a current value of 0.9361 and a recorded peak of 0.9370.

EU & UK References

Vulnerability details

Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hytec
hwl-2511-ss firmware
≤ 1.05

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References