Command Injection Vulnerability in WAVLINK Routers
CVE-2022-35517

8.8HIGH

Key Information:

Vendor

Wavlink

Vendor
CVE Published:
10 August 2022

What is CVE-2022-35517?

A command injection vulnerability exists in various WAVLINK router models due to insufficient filtering of parameters in the admin interface. Specifically, the parameters such as web_pskValue, wl_Method, wlan_ssid, EncrypType, rwan_ip, rwan_mask, rwan_gateway, ppp_username, ppp_passwd, and ppp_setver can be exploited through the /wizard_router_mesh.shtml page. This flaw poses a risk of unauthorized command execution, potentially allowing attackers to gain control over the affected devices.

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.