Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists within the `restart_hour_value` POST parameter.
The vulnerability is located in the set_sys_init() function handled by the login.cgi script. An attacker sends a specially crafted HTTP POST request containing a malicious value in the `restart_hour_value` parameter. This parameter is not properly validated or filtered before being passed to a system call, allowing injection and execution of arbitrary operating system commands on the device. The attack is possible without prior authentication to the device.
An attacker can take full control of the device by executing arbitrary commands at its level, which includes the ability to read and modify configuration, eavesdrop on network traffic, and use the device as an entry point to the internal network.
Apply patches available from the manufacturer according to references. Until an update is applied, it is recommended to restrict access to the device's administrative interface only from trusted IP addresses and avoid exposing the device directly to Internet access.
Wavlink AC3000 WL-WN533A8 with firmware version M33A8.V5030.210505
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HWavlink Wl Wn533a8
HWWavlinkwszystkie wersjeWavlink Wl Wn533a8 Firmware
OSWavlinkm33a8.v5030.210505
Related vulnerabilities
Command injection w Wavlink AC3000 — wykonanie dowolnych poleceń przez adm.cgi
Command injection w firmware Wavlink AC3000 — zdalne wykonanie kodu
Command injection w Wavlink AC3000 – nieautoryzowane wykonanie poleceń
Stack-based buffer overflow w Wavlink AC3000 umożliwia RCE przez HTTP
Buffer overflow w Wavlink AC3000 — podatność w funkcji set_info() usbip.cgi