CVE-2022-35572
First published: Mon Sep 12 2022(Updated: )
On Linksys E5350 WiFi Router with firmware version 1.0.00.037 and lower, (and potentially other vendors/devices due to code reuse), the /SysInfo.htm URI does not require a session ID. This web page calls a show_sysinfo function which retrieves WPA passwords, SSIDs, MAC Addresses, serial numbers, WPS Pins, and hardware/firmware versions, and prints this information into the web page. This web page is visible when remote management is enabled. A user who has access to the web interface of the device can extract these secrets. If the device has remote management enabled and is connected directly to the internet, this vulnerability is exploitable over the internet without interaction.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linksys E5350 Firmware | <=1.0.00.037 | |
| Linksys E5350 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-35572?
CVE-2022-35572 is a vulnerability that affects the Linksys E5350 WiFi Router with firmware version 1.0.00.037 and lower.
How severe is CVE-2022-35572?
CVE-2022-35572 has a severity rating of 7.5 (high).
How does CVE-2022-35572 affect the affected routers?
CVE-2022-35572 allows unauthorized access to sensitive information such as WPA passwords, SSIDs, MAC addresses, serial numbers, and WPS.
Are other devices affected by CVE-2022-35572?
Other vendors/devices may also be affected if they reuse the same code as the Linksys E5350 WiFi Router.
How can I fix CVE-2022-35572?
To fix CVE-2022-35572, update the firmware of the affected Linksys E5350 WiFi Router to version 1.0.00.038 or higher.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/event
- vendor/linksys
- canonical/linksys e5350 firmware
- version/linksys e5350 firmware/1.0.00.037
- canonical/linksys e5350