Cyber Resilience

CVE-2022-37860

CriticalPublic PoCRCE

Published: 12 September 2022

Published
12 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4175 97.5th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-37860 is a critical-severity OS Command Injection (CWE-78) vulnerability in Tp-Link M7350 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is a pre-authentication command injection flaw, tracked as CVE-2022-37860 and assigned CWE-78, that affects the web configuration interface of the TP-Link M7350 V3 running firmware version 190531. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability.

An unauthenticated attacker with network reachability to the device's web interface can inject and execute arbitrary operating-system commands. Successful exploitation grants the attacker complete control over the affected mobile hotspot, including the ability to read or modify data, alter device behavior, or disrupt service.

The vendor references point to updated firmware images hosted on the TP-Link support site for the M7350 V3, indicating that applying a newer firmware release is the intended remediation path. The accompanying disclosure document provides additional technical detail on the issue.

EPSS for the CVE currently stands at 0.4175 with an identical recorded peak, indicating sustained but not sharply increasing exploitation interest since publication.

EU & UK References

Vulnerability details

The web configuration interface of the TP-Link M7350 V3 with firmware version 190531 is affected by a pre-authentication command injection vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tp-link
m7350 firmware
190531

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References