CVE-2022-31308 – This vulnerability in WAVLINK AERIAL X 1200M ro... (How to Fix)

📋 TL;DR

This vulnerability in WAVLINK AERIAL X 1200M routers allows attackers to execute commands via the live_mfg.shtml page, exposing sensitive router information. Attackers can exploit this to gain unauthorized access to configuration details and potentially control the device. Users of affected WAVLINK router models with vulnerable firmware are at risk.

💻 Affected Systems

Products:

WAVLINK AERIAL X 1200M M79X3

Versions: V5030.191012 and likely earlier versions

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web interface component live_mfg.shtml which appears to be accessible by default.

📦 What is this software?

Aerial X 1200m Firmware by Wavlink

View all CVEs affecting Aerial X 1200m Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control of the router, intercept network traffic, deploy malware to connected devices, and use the router as a pivot point into internal networks.

🟠

Likely Case

Attackers extract sensitive router configuration information, credentials, and network details, enabling further attacks or unauthorized access.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the router itself without lateral movement to other systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The GitHub reference shows detailed exploitation methods. Attack requires network access to the router's web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found

Restart Required: No

Instructions:

1. Check WAVLINK website for firmware updates
2. If update available, download and install via router admin interface
3. Verify the live_mfg.shtml page is no longer accessible or vulnerable

🔧 Temporary Workarounds

Disable remote administration

all

Prevent external access to router web interface

Login to router admin > Advanced Settings > Remote Management > Disable

Block access to live_mfg.shtml

linux

Use firewall rules to block access to vulnerable endpoint

iptables -A INPUT -p tcp --dport 80 -m string --string "live_mfg.shtml" --algo bm -j DROP

🧯 If You Can't Patch

Segment router on isolated network segment
Implement strict firewall rules limiting access to router management interface

🔍 How to Verify

Check if Vulnerable:

Access http://[router-ip]/live_mfg.shtml?exec_cmd=ls and check if command output is returned

Check Version:

Login to router admin interface and check Firmware Version in System Status

Verify Fix Applied:

Attempt the same access and verify no command execution occurs and page returns error or is inaccessible

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /live_mfg.shtml with exec_cmd parameter
Unusual command execution in router logs

Network Indicators:

HTTP traffic to router IP on port 80/443 with exec_cmd parameter in URL

SIEM Query:

source="router_logs" AND url="*live_mfg.shtml*exec_cmd*"

📊 Metadata

CVE ID: CVE-2022-31308

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: June 14, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20AC1200.md Exploit,Third Party Advisory
https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20AC1200.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31308, you might also want to check these: