CVE-2022-35533 in WN572HP3
Summary
by MITRE • 08/11/2022
WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 qos.cgi has no filtering on parameters: cli_list and cli_num, which leads to command injection in page /qos.shtml.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/11/2022
The vulnerability identified as CVE-2022-35533 affects multiple WAVLINK wireless router models including WN572HP3, WN533A8, WN530H4, WN535G3, and WN531P3. This issue resides within the Quality of Service configuration interface of these devices, specifically in the qos.cgi script that handles network traffic prioritization settings. The affected devices are commonly used in residential and small office environments where network traffic management is essential for maintaining performance across different applications and users.
The technical flaw manifests through insufficient input validation and parameter filtering within the qos.cgi script. When administrators or users interact with the Quality of Service configuration page located at /qos.shtml, the script accepts parameters named cli_list and cli_num without proper sanitization or validation. These parameters are directly incorporated into system commands without adequate filtering mechanisms, creating a classic command injection vulnerability. The absence of input validation allows malicious actors to inject arbitrary commands that will be executed with the privileges of the web server process, typically running with elevated system permissions.
This vulnerability presents significant operational impact as it enables remote command execution on affected devices. Attackers can leverage this flaw to execute arbitrary code on the router, potentially gaining full administrative control over the network infrastructure. The implications extend beyond simple command execution, as the compromised device could be used as a pivot point for attacking other systems within the local network, or the attacker could modify network configurations to redirect traffic or disable security features. The attack surface is particularly concerning given that these are consumer-grade routers that are often deployed in unsecured environments without regular security updates.
The vulnerability aligns with CWE-77 and CWE-94 categories, representing command injection flaws that allow attackers to execute arbitrary commands on the target system. From an ATT&CK framework perspective, this vulnerability maps to techniques such as T1059.001 (Command and Scripting Interpreter: PowerShell) and T1566 (Phishing) as attackers may use the compromised device to facilitate further attacks. Organizations should immediately implement network segmentation to isolate affected devices, apply firmware updates from the manufacturer when available, and consider network monitoring to detect anomalous command execution patterns. Additionally, administrators should disable unnecessary services, implement strong authentication mechanisms, and regularly audit network configurations to prevent unauthorized access to sensitive administrative interfaces. The remediation process should include comprehensive network scanning to identify all affected devices and ensure proper input validation is implemented throughout the application code to prevent similar vulnerabilities in future releases.