CVE-2022-31846 – This vulnerability in WAVLINK WN535 G3 routers ... (How to Fix)

📋 TL;DR

This vulnerability in WAVLINK WN535 G3 routers allows attackers to execute commands via the live_mfg.shtml endpoint, potentially exposing sensitive router information. Attackers can exploit this to gain unauthorized access to configuration details. Affected users are those running vulnerable firmware versions on these specific router models.

💻 Affected Systems

Products:

WAVLINK WN535 G3

Versions: M35G3R.V5030.180927 and likely earlier versions

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web interface component live_mfg.shtml which appears to be accessible by default.

📦 What is this software?

Wn535g3 Firmware by Wavlink

View all CVEs affecting Wn535g3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control of the router, intercept network traffic, modify configurations, and potentially pivot to internal network devices.

🟠

Likely Case

Attackers extract sensitive router information including credentials, network configurations, and device details, leading to further exploitation.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the router itself without lateral movement.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit involves simple HTTP requests to the vulnerable endpoint with command execution parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check WAVLINK website for firmware updates
2. If update available, download and apply via router web interface
3. Verify the live_mfg.shtml endpoint is no longer accessible or vulnerable

🔧 Temporary Workarounds

Block access to vulnerable endpoint

linux

Use router firewall rules to block access to /live_mfg.shtml

iptables -A INPUT -p tcp --dport 80 -m string --string "live_mfg.shtml" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "live_mfg.shtml" --algo bm -j DROP

Disable web interface from WAN

all

Configure router to only allow web interface access from LAN

🧯 If You Can't Patch

Isolate affected routers in separate network segments with strict firewall rules
Implement network monitoring for unusual access to router management interfaces

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[router-ip]/live_mfg.shtml?cmd=ls or similar command execution

Check Version:

Check router web interface or use: curl -s http://[router-ip]/ | grep -i firmware

Verify Fix Applied:

Verify the endpoint no longer responds or returns error for command execution attempts

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /live_mfg.shtml with cmd parameter
Unusual command execution in router logs

Network Indicators:

HTTP traffic to router IP on port 80/443 containing 'live_mfg.shtml' and 'cmd='

SIEM Query:

source="router_logs" AND uri="/live_mfg.shtml" AND query="*cmd=*"

📊 Metadata

CVE ID: CVE-2022-31846

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-668

Published: June 14, 2022

Last Updated: November 21, 2024

🔗 References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30489 Not Applicable
https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20WN535%20G3__live_mfg.md Exploit,Third Party Advisory
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30489 Not Applicable
https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20WN535%20G3__live_mfg.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31846, you might also want to check these: