CVE-2022-2487
published 2022-07-20CVE-2022-2487: A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and classified as critical. This vulnerability affects unknown code of the file…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
79.51%
99.6th percentile
A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and classified as critical. This vulnerability affects unknown code of the file /cgi-bin/nightled.cgi. The manipulation of the argument start_hour leads to os command injection. The exploit has been disclosed to the public and may be used.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wavlink | wn535k2 | — | — |
| wavlink | wn535k3 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /cgi-bin/nightled.cgi HTTP/1.1 ... page=night_led&start_hour=;{{cmd}};
othershodan: http.title:"Wi-Fi APP Login"
otherfofa: title="wi-fi app login"
othergoogle: intitle:"wi-fi app login"
- →HTTP POST to /cgi-bin/nightled.cgi with parameter 'start_hour' containing a semicolon-delimited OS command injection payload (e.g., start_hour=;<cmd>;) indicates exploitation attempt.
- →Successful exploitation response body contains 'uid=', 'gid=', and 'nightStart' simultaneously — match all three words in the HTTP response body with HTTP 200 status.
- →Target device identification: look for HTTP title 'Wi-Fi APP Login' or 'wi-fi app login' on Shodan/FOFA/Google to enumerate exposed Wavlink WN535K2/WN535K3 devices.
- →The vulnerability is unauthenticated (PR:N, UI:N) — no credentials are required to exploit the OS command injection via the start_hour parameter.
- ·The Nuclei template uses a 10-second timeout for the HTTP request, which may need adjustment in high-latency environments to avoid false negatives.
- ·The template uses an OAST/out-of-band callback approach (tagged 'oast') in addition to inline response matching; ensure an interactsh or equivalent OOB server is configured when running the template.
- ·The default proof-of-concept command is 'id'; replace with an appropriate payload for deeper testing, as the template variable 'cmd' is set to 'id' by default.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gv4v-6v97-75hc: A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and classified as critical
ghsa_unreviewed·2022-07-21
CVE-2022-2487 [CRITICAL] CWE-78 GHSA-gv4v-6v97-75hc: A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and classified as critical
A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and classified as critical. This vulnerability affects unknown code of the file /cgi-bin/nightled.cgi. The manipulation of the argument start_hour leads to os command injection. The exploit has been disclosed to the public and may be used.
VulnCheck
wavlink wl-wn535k2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2022·CVSS 8.0
CVE-2022-2487 [HIGH] wavlink wl-wn535k2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
wavlink wl-wn535k2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and classified as critical. This vulnerability affects unknown code of the file /cgi-bin/nightled.cgi. The manipulation of the argument start_hour leads to os command injection. The exploit has been disclosed to the public and may be used.
Affected: wavlink wl-wn535k2
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2022-2487; https://dashboard.shadowserver.org/statist
No detection rules found.
Nuclei
Wavlink WN535K2/WN535K3 - OS Command Injection
nuclei·CVSS 9.8
CVE-2022-2487 [CRITICAL] Wavlink WN535K2/WN535K3 - OS Command Injection
Wavlink WN535K2/WN535K3 - OS Command Injection
Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection which affects unknown code in /cgi-bin/nightled.cgi via manipulation of the argument start_hour. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Template:
id: CVE-2022-2487
info:
name: Wavlink WN535K2/WN535K3 - OS Command Injection
author: For3stCo1d
severity: critical
description: |
Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection which affects unknown code in /cgi-bin/nightled.cgi via manipulation of the argument start_hour. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full con
No writeups or analysis indexed.
2022-07-20
Published
Exploited in the wild