CVE-2022-35538

CRITICAL

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 - OS Command Injection via wireless.cgi Parameters

Title source: llm

Description

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameters: delete_list, delete_al_mac, b_delete_list and b_delete_al_mac, which leads to command injection in page /wifi_mesh.shtml.

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/TyeYeah/othercveinfo/tree/main/wavlink#command-injection-occurs-when-clicking-the-button-in-wavlink-router-ac1200-page-wifi_meshshtml-in-wirelesscgi

Scores

CVSS v3 9.8

EPSS 0.0187

EPSS Percentile 83.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (5)

wavlink/wn530h4_firmware

wavlink/wn531p3_firmware

wavlink/wn533a8_firmware

wavlink/wn535g3_firmware

wavlink/wn572hp3_firmware

Published Aug 10, 2022

Tracked Since Feb 18, 2026