Wavlink WL-WN578W2 Command Injection Vulnerability in Firewall CGI
Vulnerability
A critical unauthenticated command injection vulnerability has been identified in the Wavlink WL-WN578W2 wireless range extender, specifically in the firmware version M78W2_V221110. The issue resides within the '/cgi-bin/firewall.cgi' endpoint, where the 'pingFrmWANFilterEnabled', 'blockSynFloodEnabled', 'blockPortScanEnabled', and 'remoteManagementEnabled' parameters are processed by the 'sub_401C5C' function. This function lacks proper input sanitization, allowing attackers to inject commands that are executed with root privileges. The vulnerability can be exploited remotely, without any authentication requirements.
Impact
Exploitation of this vulnerability allows for arbitrary command execution with root privileges on the affected device, potentially leading to unauthorized access, data exfiltration, installation of persistent backdoors, or modification of device settings.
Reproduction
To reproduce this vulnerability, send an unauthenticated POST request to the '/cgi-bin/firewall.cgi' endpoint. Include the 'firewall' parameter set to 'websSysFirewall' and inject commands through the 'remoteManagementEnabled' parameter. The injected commands will be executed on the device with root privileges.
Remediation
It is recommended to apply restrictive firewall rules to block unauthorized access to the vulnerable endpoint.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.