CVE-2022-43704

MEDIUM

Sinilink XY-WFT1 WiFi Remote Thermostat <1.3.6 - Auth Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-43704. PoCs published by 9lyph.

AI-analyzed exploit summary This repository contains a Python-based PoC for CVE-2022-43704, which exploits an authentication bypass via capture-replay in the Sinilink XY-WFTX WiFi Remote Thermostat. The exploit leverages UDP communication to retrieve device info and send malicious payloads to control the relay without authentication.

Description

The Sinilink XY-WFT1 WiFi Remote Thermostat, running firmware 1.3.6, allows an attacker to bypass the intended requirement to communicate using MQTT. It is possible to replay Sinilink aka SINILINK521 protocol (udp/1024) commands interfacing directly with the target device. This, in turn, allows for an attack to control the onboard relay without requiring authentication via the mobile application. This might result in an unacceptable temperature within the target device's physical environment.

Exploits (1)

nomisec WORKING POC 5 stars

by 9lyph · poc

https://github.com/9lyph/CVE-2022-43704

View Code ZIP pw:eip

This repository contains a Python-based PoC for CVE-2022-43704, which exploits an authentication bypass via capture-replay in the Sinilink XY-WFTX WiFi Remote Thermostat. The exploit leverages UDP communication to retrieve device info and send malicious payloads to control the relay without authentication.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Sinilink XY-WFTX WiFi Remote Thermostat (Firmware V1.3.6)

No auth needed

Prerequisites: Target device must be in 'Manual Mode' with 'Power On, Close' · Network access to the target device

MITRE ATT&CK

T1557 - Adversary-in-the-Middle T1562.001 - Disable or Modify Tools

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2022-43704-capture-replay-vulnerability-in-sinilink-xy-wft1-thermostat/

Scores

CVSS v3 5.9

EPSS 0.0187

EPSS Percentile 76.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-294

Status published

Products (1)

sinilink/xy-wft1_firmware 1.3.6

Published Jan 20, 2023

Tracked Since Feb 18, 2026