Wavlink AC3000 OS Command Injection Vulnerability in adm.cgi sch_reboot() Function
Vulnerability
Multiple operating system command injection vulnerabilities have been identified in the Wavlink AC3000 router, specifically in the adm.cgi file within the sch_reboot() function. These vulnerabilities allow for arbitrary code execution via specially crafted HTTP requests. The issues arise in the restart_hour, restart_min, and restart_week POST parameters. An authenticated user can exploit these vulnerabilities by sending requests that inject malicious commands, which are then executed with elevated privileges.
Impact
Exploitation of these vulnerabilities allows authenticated users to execute arbitrary commands on the router with elevated privileges, potentially leading to unauthorized access or control over the device.
Reproduction
To reproduce this vulnerability, an authenticated user must send a POST request to the adm.cgi sch_reboot page, including crafted values for the restart_hour, restart_min, and restart_week parameters. The injected values must be formatted correctly to be accepted by the router's scheduling system, which will then execute the injected commands as scheduled tasks.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.