Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists within the `restart_min_value` POST parameter.
The vulnerability is located in the set_sys_init() function of the login.cgi file handling HTTP requests. An attacker can send a specially crafted HTTP request containing a malicious payload in a POST parameter named restart_min_value. Data from this parameter is passed to the system command interpreter without proper validation or sanitization, resulting in execution of injected commands with the privileges of the process handling the request. The attack requires no authentication or user interaction.
An attacker gains the ability to remotely execute arbitrary system commands on the vulnerable device, which may lead to complete takeover of the router, leakage of configuration data (including credentials), modification of network settings, and exploitation of the device as an entry point to the local network.
Patches available from the manufacturer should be applied in accordance with references. As temporary measures, it is recommended to restrict access to the device's administrative interface only to trusted IP addresses and to isolate the device from external networks using a firewall.
Wavlink AC3000 M33A8, firmware version V5030.210505 (products WL-WN533A8 / WL-WN533A8 Firmware)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HWavlink Wl Wn533a8
HWWavlinkwszystkie wersjeWavlink Wl Wn533a8 Firmware
OSWavlinkm33a8.v5030.210505
Related vulnerabilities
Command injection w Wavlink AC3000 — wykonanie dowolnych poleceń przez adm.cgi
Command injection w firmware Wavlink AC3000 — zdalne wykonanie kodu
Command injection w Wavlink AC3000 – nieautoryzowane wykonanie poleceń
Stack-based buffer overflow w Wavlink AC3000 umożliwia RCE przez HTTP
Buffer overflow w Wavlink AC3000 — podatność w funkcji set_info() usbip.cgi