CVE-2022-35526

CRITICAL EXPLOITED

WAVLINK WN572HP3 WN533A8 WN530H4 WN535G3 WN531P3 - OS Command Injection via login.cgi Key Parameter

Title source: llm

Exploitation Summary

CVE-2022-35526 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 login.cgi has no filtering on parameter key, which leads to command injection in page /login.shtml.

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/TyeYeah/othercveinfo/blob/main/wavlink/README.md#wavlink-router-ac1200-page-loginshtml-command-injection-in-logincgi

View Exploit ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0503

EPSS Percentile 89.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-06-24

Status published

Products (5)

wavlink/wn530h4_firmware

wavlink/wn531p3_firmware

wavlink/wn533a8_firmware

wavlink/wn535g3_firmware

wavlink/wn572hp3_firmware

Published Aug 10, 2022

Tracked Since Feb 18, 2026