Wavlink AC3000 Command Execution Vulnerability in TR069 Functionality

A command execution vulnerability has been identified in the Wavlink AC3000 router, specifically in the adm.cgi set_TR069() function of version M33A8.V5030.210505. This vulnerability allows authenticated attackers to execute arbitrary commands by sending specially crafted HTTP requests. The issue arises because the TR069_local_port parameter can be manipulated to inject commands, which are then executed by the router's operating system.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the adm.cgi script with the page parameter set to TR069. The POST data can include various TR069-related fields, but the key to exploiting the vulnerability is to inject commands through the TR069_local_port parameter. Once the request is processed, the injected commands will be executed by the router.

Remediation

Wavlink has acknowledged the vulnerability and is working on a patch, although no specific release date has been provided.