CVE-2022-50892

HighPublic PoC

Published: 13 January 2026

Published

13 January 2026

Modified

22 January 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0019 40.3th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

VIAVIWEB Wallpaper Admin 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating login credentials. Attackers can exploit the login page by injecting 'admin' or 1=1-- - payload to gain unauthorized access to the administrative interface.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires information input validation at entry points such as the login form, directly preventing SQL injection payloads from bypassing authentication.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely identification, reporting, and remediation of flaws like the SQL injection vulnerability in the login page.

RA-5 Vulnerability Monitoring and Scanning good match

detect

RA-5 requires vulnerability scanning that would identify the SQL injection vulnerability in the authentication mechanism prior to exploitation.

Security SummaryAI

CVE-2022-50892 is a SQL injection vulnerability (CWE-89) in VIAVIWEB Wallpaper Admin 1.0. The flaw resides in the login page, where attackers can bypass authentication by manipulating login credentials with payloads such as 'admin' or 1=1-- -. This grants unauthorized access to the administrative interface. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low complexity and no prerequisites.

Remote attackers with network access to the login page can exploit this vulnerability without prior authentication or user interaction. By injecting the malicious payloads into the login form, they bypass authentication controls and gain entry to the admin interface, enabling potential unauthorized data access or limited administrative functions.

Advisories and a proof-of-concept exploit detail the issue, available at Exploit-DB (https://www.exploit-db.com/exploits/51033), the vendor site (https://www.viaviweb.com), and VulnCheck (https://www.vulncheck.com/advisories/viaviweb-wallpaper-admin-sql-injection-via-login-page).

Details

CWE(s): CWE-89

Affected Products

viaviweb

wallpaper admin

1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web app login page enables remote authentication bypass and unauthorized admin access, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/51033
Exploit, VDB Entry · disclosure@vulncheck.com
https://www.viaviweb.com
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/viaviweb-wallpaper-admin-sql-injection-via-login-page
Third Party Advisory · disclosure@vulncheck.com