CVE-2022-2488
published 2022-07-20CVE-2022-2488: A vulnerability was found in WAVLINK WN535K2 and WN535K3 and classified as critical. This issue affects some unknown processing of the file…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
28.72%
97.9th percentile
A vulnerability was found in WAVLINK WN535K2 and WN535K3 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/touchlist_sync.cgi. The manipulation of the argument IP leads to os command injection. The exploit has been disclosed to the public and may be used.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wavlink | wn535k2 | — | — |
| wavlink | wn535k3 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP requests to /cgi-bin/touchlist_sync.cgi with shell metacharacters (e.g., semicolons) in the IP parameter, indicating OS command injection attempts. ↗
- →Shodan fingerprint for exposed Wavlink devices: search for HTTP title 'Wi-Fi APP Login' or 'wi-fi app login'.
- →FOFA/Google fingerprint for exposed Wavlink devices: title equals 'wi-fi app login'.
- →Exploitation produces an HTTP 500 response status from the target device; use this in combination with an out-of-band (OAST/interactsh) HTTP callback to confirm successful command injection.
- →Confirm exploitation via out-of-band HTTP interaction: a successful injection will trigger an outbound HTTP request (wget) to an attacker-controlled server.
- ·The vulnerability is unauthenticated (no credentials required), making it exploitable remotely without prior access.
- ·The exploit requires only a single HTTP GET request (max-request: 1), lowering the bar for automated scanning and exploitation.
- ·EPSS score of 0.9332 (99.8th percentile) indicates this CVE is very likely being actively exploited in the wild.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-628r-386p-mrwh: A vulnerability was found in WAVLINK WN535K2 and WN535K3 and classified as critical
ghsa_unreviewed·2022-07-21
CVE-2022-2488 [CRITICAL] CWE-78 GHSA-628r-386p-mrwh: A vulnerability was found in WAVLINK WN535K2 and WN535K3 and classified as critical
A vulnerability was found in WAVLINK WN535K2 and WN535K3 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/touchlist_sync.cgi. The manipulation of the argument IP leads to os command injection. The exploit has been disclosed to the public and may be used.
VulnCheck
wavlink wl-wn535k2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2022·CVSS 8.0
CVE-2022-2488 [HIGH] wavlink wl-wn535k2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
wavlink wl-wn535k2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A vulnerability was found in WAVLINK WN535K2 and WN535K3 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/touchlist_sync.cgi. The manipulation of the argument IP leads to os command injection. The exploit has been disclosed to the public and may be used.
Affected: wavlink wl-wn535k2
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2022-2488; https://dashboard.shadowserver.org/statistics/
No detection rules found.
Nuclei
Wavlink WN535K2/WN535K3 - OS Command Injection
nuclei·CVSS 9.8
CVE-2022-2488 [CRITICAL] Wavlink WN535K2/WN535K3 - OS Command Injection
Wavlink WN535K2/WN535K3 - OS Command Injection
Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in /cgi-bin/touchlist_sync.cgi via manipulation of the argument IP. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Template:
id: CVE-2022-2488
info:
name: Wavlink WN535K2/WN535K3 - OS Command Injection
author: For3stCo1d
severity: critical
description: |
Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in /cgi-bin/touchlist_sync.cgi via manipulation of the argument IP. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary
Talos
Slew of WavLink vulnerabilities
blogs_talos·2025-01-15·CVSS 8.0
[HIGH] Slew of WavLink vulnerabilities
## Slew of WavLink vulnerabilities
Lilith >_> of Cisco Talos discovered these vulnerabilities.
Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.
The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point.
Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability disclosure policy . Wavlink has declined to release a patch for these vulnerabilities.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org , and our latest Vulnerability Advisories are al
Talos
Slew of WavLink vulnerabilities
blogs_talos·2025-01-15·CVSS 8.0
[HIGH] Slew of WavLink vulnerabilities
Lilith >_> of Cisco Talos discovered these vulnerabilities.
Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.
The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point.
Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability disclosure policy. Wavlink has declined to release a patch for these vulnerabilities.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s we
https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20touchlist_sync.cgi.mdhttps://vuldb.com/?id.204539https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20touchlist_sync.cgi.mdhttps://vuldb.com/?id.204539https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1999
2022-07-20
Published
Exploited in the wild