Wavlink WL-WN578W2 Information Disclosure Vulnerability
Vulnerability
An unauthenticated sensitive information disclosure vulnerability exists in Wavlink WL-WN578W2 devices running firmware version 221110. The vulnerability is located in the file '/live_online.shtml', which can be accessed without authentication. This endpoint reveals a complete list of all devices connected to the WiFi network, including their MAC addresses, IP addresses, and device names. The lack of authentication allows attackers to map the network and potentially conduct targeted attacks.
Impact
Exposes a full inventory of network-connected devices, including their identities and addresses, facilitating further network attacks.
Reproduction
To reproduce this vulnerability, access the '/live_online.shtml' endpoint on a Wavlink WL-WN578W2 device with firmware version 221110. No authentication is required to view the page, which will display all connected WiFi devices along with their MAC addresses, IP addresses, and device names.
Remediation
It is recommended to implement restrictive firewall rules to block access to the vulnerable endpoint.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.