Wavlink WN530H4 OS Command Injection Vulnerability in internet.cgi

A critical OS command injection vulnerability exists in the Wavlink WN530H4 router, specifically in the firmware version WN530H4-WAVLINK_20220721. The issue arises in the '/cgi-bin/internet.cgi' file, within the 'set_add_routing' function, which handles HTTP POST parameters for static routing. User-supplied data is directly appended to a shell command using 'strcat()' and 'snprintf()' without proper sanitization, allowing authenticated attackers to inject arbitrary commands. This vulnerability, which can be exploited remotely, has been publicly disclosed and is present in other Wavlink models as well.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands with root privileges on the affected router, potentially leading to full device compromise and unauthorized access to network resources.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/internet.cgi' with a valid session cookie. Include injected payloads in the 'dest' and 'gateway' parameters. The injected commands will be executed with root privileges on the device.

Remediation

Users are advised to upgrade to Wavlink WN530H4 firmware version 2026.04.16, available for download from the Wavlink Firmware Download page.