CVE-2022-35555
CRITICAL EXPLOITED IN THE WILDTenda W6 V1.0.0.9(4122) - OS Command Injection via cmdinput Parameter
Title source: llmExploitation Summary
CVE-2022-35555 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).
Description
A command injection vulnerability exists in /goform/exeCommand in Tenda W6 V1.0.0.9(4122), which allows attackers to construct cmdinput parameters for arbitrary command execution.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/ilovekeer/IOT/blob/main/Tenda/W6/Injection/exeCommand/README.md
Scores
CVSS v3
9.8
EPSS
0.0763
EPSS Percentile
92.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2024-05-22
InTheWild.io
2024-05-29
CWE
CWE-78
Status
published
Products (1)
tenda/w6_firmware
1.0.0.9\(4122\)
Published
Aug 12, 2022
Tracked Since
Feb 18, 2026