⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2022-35555

CWE-78OS Command InjectionCWE-77Command Injection4 documents4 sources
Severity
9.8CRITICAL
EPSS
7.6%
top 8.12%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Tenda W6 Firmware
Timeline
PublishedAug 12
Latest updateAug 13

Description

A command injection vulnerability exists in /goform/exeCommand in Tenda W6 V1.0.0.9(4122), which allows attackers to construct cmdinput parameters for arbitrary command execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDtenda/w6_firmware1.0.0.9\(4122\)

🔴Vulnerability Details

3
GHSA
GHSA-w8p2-8xpf-2498: A command injection vulnerability exists in /goform/exeCommand in Tenda W6 V12022-08-13
CVEList
CVE-2022-35555: A command injection vulnerability exists in /goform/exeCommand in Tenda W6 V12022-08-11
VulnCheck
Tenda w6_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')2022
CVE-2022-35555 (CRITICAL CVSS 9.8) | A command injection vulnerability e | cvebase.io