Wavlink AC3000 Command Injection Vulnerability in login.cgi Allowing Arbitrary Code Execution

A command injection vulnerability has been identified in the Wavlink AC3000 router, specifically in the login.cgi file's set_sys_init() function. This vulnerability allows for arbitrary code execution via OS command injection. It affects the Wavlink AC3000 model with the firmware version M33A8.V5030.210505. The issue arises because the login.cgi file does not properly validate user authentication, allowing attackers to send crafted HTTP requests that exploit this flaw.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected device.

Reproduction

To reproduce this vulnerability, send an unauthenticated HTTP POST request to the login.cgi page with the 'page' parameter set to 'sysinit'. Include the 'restart_hour_value', 'restart_min_value', and 'restart_week_value' parameters in the POST data. The injected values will be processed by the set_sys_init() function, which schedules a cron job that executes a shell script, leading to code execution on the device.