Wavlink AC3000 Command Injection Vulnerability in login.cgi Allowing Arbitrary Code Execution

A command injection vulnerability has been identified in the Wavlink AC3000 router, specifically in the login.cgi file's set_sys_init() function. This vulnerability allows for arbitrary code execution via OS command injection. It affects the Wavlink AC3000 model with the firmware version M33A8.V5030.210505. The issue arises because the login.cgi file does not properly validate user authentication, allowing attackers to send crafted HTTP requests that exploit this vulnerability.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected device.

Reproduction

To reproduce this vulnerability, send an unauthenticated HTTP POST request to the login.cgi page with the 'page' parameter set to 'sysinit'. Include the 'restart_min_value', 'restart_hour_value', and 'restart_week_value' POST parameters, formatted correctly, to inject a crontab entry that will be executed as the 'adm2860' user.