cbcvebase.
CVE-2022-34576
published 2022-07-25

CVE-2022-34576: A vulnerability in /cgi-bin/ExportAllSettings.sh of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to execute arbitrary code via a crafted POST request.

PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.00%
85.7th percentile
A vulnerability in /cgi-bin/ExportAllSettings.sh of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to execute arbitrary code via a crafted POST request.

Affected

1 ranges
VendorProductVersion rangeFixed in
wavlinkwn535g3_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/ExportAllSettings.sh
  • Send a GET request to /cgi-bin/ExportAllSettings.sh and check for HTTP 200 response containing all four strings: 'Login=', 'Password=', 'Model=', and 'AuthMode=' — their simultaneous presence confirms unauthenticated settings export exposure.
  • Use Shodan queries 'http.html:"Wavlink"', 'http.html:"wavlink"', or 'http.title:"wi-fi app login"' to identify exposed WAVLINK WN535 G3 devices on the internet.
  • Use FOFA queries 'title="wi-fi app login"' or 'body="wavlink"' to identify potentially vulnerable WAVLINK devices.
  • Use Google dork 'intitle:"wi-fi app login"' to find internet-facing WAVLINK WN535 G3 login pages.
  • ·The vulnerability is unauthenticated (PR:N, no authentication required), meaning the /cgi-bin/ExportAllSettings.sh endpoint is accessible without credentials and exposes sensitive router configuration data.
  • ·The affected firmware version is specifically M35G3R.V5030.180927 on the WAVLINK WN535 G3; detections should be scoped to this CPE.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.