CVE-2022-39987
Description
A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated command injection in RaspAP 2.8.0-2.9.2 via unsanitized 'entity' parameter allows root-level OS command execution.
Vulnerability
Overview
CVE-2022-39987 is a command injection vulnerability in RaspAP versions 2.8.0 through 2.9.2, a popular web-based wireless router management interface for Debian-based devices [1]. The flaw exists in the /ajax/networking/get_wgkey.php endpoint, where the entity POST parameter is passed unsanitized to a system shell. This allows an attacker who has already authenticated to the RaspAP web interface to inject arbitrary OS commands [3].
Attack
Vector & Prerequisites
Exploitation requires prior authentication to the RaspAP web panel, which is typically protected by a login form. Once authenticated, an attacker can send a crafted HTTP POST request to get_wgkey.php containing malicious shell metacharacters in the entity parameter [2]. The application does not filter or escape the input before incorporating it into a shell command, leading to injection.
Impact & Scope
Because the vulnerable script runs with root privileges (common for networking-related functionality in RaspAP), a successful injection gives the attacker full control over the underlying operating system. This can be leveraged to install persistent backdoors, exfiltrate data, pivot to other hosts on the network, or disrupt services. The attack is network-based and does not require direct physical access beyond network connectivity to the RaspAP management interface.
Remediation
The vulnerability has been patched in commit e87e7d1d by sanitizing the entity parameter with escapeshellcmd() [4]. Users are strongly advised to upgrade to RaspAP version 2.9.3 or later, which includes this fix [2]. There is no workaround short of upgrading, as the vulnerable code path is essential for WireGuard key management functionality. If an upgrade is not immediately possible, restricting network access to the RaspAP web interface and monitoring for unexpected administrative logins may reduce risk.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
billz/raspap-webguiPackagist | >= 2.8.0, < 2.9.5 | 2.9.5 |
Affected products
2- RaspAP/RaspAPdescription
Patches
1e87e7d1d3a61Sanitize post with escapeshellcmd()
1 file changed · +1 −1
ajax/networking/get_wgkey.php+1 −1 modified@@ -3,7 +3,7 @@ require '../../includes/csrf.php'; require_once '../../includes/config.php'; -$entity = $_POST['entity']; +$entity = escapeshellcmd($_POST['entity']); if (isset($entity)) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-7r88-wjhj-jr8mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-39987ghsaADVISORY
- github.com/RaspAP/raspap-webgui/blob/master/ajax/networking/get_wgkey.phpghsaWEB
- github.com/RaspAP/raspap-webgui/commit/e87e7d1d3a61617430851f2a040379de1ff3dd9dghsaWEB
- github.com/RaspAP/raspap-webgui/pull/1395ghsaWEB
- github.com/RaspAP/raspap-webgui/releases/tag/2.9.5ghsaWEB
- medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2ghsaWEB
- medium.com/%40ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2mitre
News mentions
0No linked articles in our index yet.