CVE-2022-37860
Published: 12 September 2022
Summary
CVE-2022-37860 is a critical-severity OS Command Injection (CWE-78) vulnerability in Tp-Link M7350 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a pre-authentication command injection flaw, tracked as CVE-2022-37860 and assigned CWE-78, that affects the web configuration interface of the TP-Link M7350 V3 running firmware version 190531. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability.
An unauthenticated attacker with network reachability to the device's web interface can inject and execute arbitrary operating-system commands. Successful exploitation grants the attacker complete control over the affected mobile hotspot, including the ability to read or modify data, alter device behavior, or disrupt service.
The vendor references point to updated firmware images hosted on the TP-Link support site for the M7350 V3, indicating that applying a newer firmware release is the intended remediation path. The accompanying disclosure document provides additional technical detail on the issue.
EPSS for the CVE currently stands at 0.4175 with an identical recorded peak, indicating sustained but not sharply increasing exploitation interest since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-40469
Vulnerability details
The web configuration interface of the TP-Link M7350 V3 with firmware version 190531 is affected by a pre-authentication command injection vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.