CVE-2022-31311
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on WAVLINK AERIAL X 1200M routers by sending specially crafted POST requests to the adm.cgi endpoint. Attackers can gain full control of affected devices, potentially compromising network security. Organizations and individuals using these routers are affected.
💻 Affected Systems
- WAVLINK AERIAL X 1200M M79X3
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and participation in botnets or ransomware attacks.
Likely Case
Remote code execution allowing attackers to modify router settings, steal credentials, redirect traffic, or use the device as a pivot point for further attacks.
If Mitigated
Limited impact if devices are behind firewalls, not internet-facing, and network segmentation prevents lateral movement.
🎯 Exploit Status
The vulnerability requires sending a crafted POST request to a specific endpoint, which is straightforward for attackers with basic scripting knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not found
Restart Required: No
Instructions:
Check WAVLINK website for firmware updates. If available: 1. Download latest firmware from vendor site. 2. Access router admin interface. 3. Navigate to firmware update section. 4. Upload and apply new firmware. 5. Verify update completed successfully.
🔧 Temporary Workarounds
Block adm.cgi Access
linuxUse firewall rules to block external access to the adm.cgi endpoint
iptables -A INPUT -p tcp --dport 80 -m string --string "adm.cgi" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "adm.cgi" --algo bm -j DROP
Disable Remote Administration
allTurn off remote management features in router settings
🧯 If You Can't Patch
- Isolate affected routers in separate network segments with strict firewall rules
- Implement network monitoring and intrusion detection for suspicious POST requests to adm.cgi
🔍 How to Verify
Check if Vulnerable:
Test if adm.cgi endpoint accepts POST requests with command injection payloads. Use curl: curl -X POST http://router-ip/adm.cgi --data 'test=;id'Check Version:
Check router web interface or use: curl http://router-ip/status.cgi | grep versionVerify Fix Applied:
Attempt the same exploit after applying mitigations - should receive access denied or no command execution📡 Detection & Monitoring
Log Indicators:
- POST requests to /adm.cgi with shell metacharacters
- Unusual command execution in system logs
- Failed authentication attempts followed by POST to adm.cgi
Network Indicators:
- POST requests to adm.cgi containing semicolons, pipes, or backticks
- Outbound connections from router to suspicious IPs
SIEM Query:
source="router_logs" AND (uri_path="/adm.cgi" AND http_method="POST" AND (raw_request CONTAINS ";" OR raw_request CONTAINS "|" OR raw_request CONTAINS "`"))