cbcvebase.
CVE-2022-2487
published 2022-07-20

CVE-2022-2487: A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and classified as critical. This vulnerability affects unknown code of the file…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
79.51%
99.6th percentile
A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and classified as critical. This vulnerability affects unknown code of the file /cgi-bin/nightled.cgi. The manipulation of the argument start_hour leads to os command injection. The exploit has been disclosed to the public and may be used.

Affected

2 ranges
VendorProductVersion rangeFixed in
wavlinkwn535k2
wavlinkwn535k3

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/nightled.cgi
commandPOST /cgi-bin/nightled.cgi HTTP/1.1 ... page=night_led&start_hour=;{{cmd}};
othershodan: http.title:"Wi-Fi APP Login"
otherfofa: title="wi-fi app login"
othergoogle: intitle:"wi-fi app login"
  • HTTP POST to /cgi-bin/nightled.cgi with parameter 'start_hour' containing a semicolon-delimited OS command injection payload (e.g., start_hour=;<cmd>;) indicates exploitation attempt.
  • Successful exploitation response body contains 'uid=', 'gid=', and 'nightStart' simultaneously — match all three words in the HTTP response body with HTTP 200 status.
  • Target device identification: look for HTTP title 'Wi-Fi APP Login' or 'wi-fi app login' on Shodan/FOFA/Google to enumerate exposed Wavlink WN535K2/WN535K3 devices.
  • The vulnerability is unauthenticated (PR:N, UI:N) — no credentials are required to exploit the OS command injection via the start_hour parameter.
  • ·The Nuclei template uses a 10-second timeout for the HTTP request, which may need adjustment in high-latency environments to avoid false negatives.
  • ·The template uses an OAST/out-of-band callback approach (tagged 'oast') in addition to inline response matching; ensure an interactsh or equivalent OOB server is configured when running the template.
  • ·The default proof-of-concept command is 'id'; replace with an appropriate payload for deeper testing, as the template variable 'cmd' is set to 'id' by default.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.