Login Sign Up

CVE-2022-48166

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Wavlink WL-WN530HG4 routers allows unauthenticated attackers to download configuration files and log files containing admin credentials. It affects users of this specific router model with vulnerable firmware. Attackers can gain administrative access to the router without authentication.

💻 Affected Systems

Products:
  • Wavlink WL-WN530HG4
Versions: M30HG4.V5030.201217
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the specific firmware version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Wl Wn530hg4 Firmware by Wavlink

View all CVEs affecting Wl Wn530hg4 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control of the router, enabling them to intercept traffic, modify network settings, install malware, or pivot to internal networks.

🟠

Likely Case

Attackers steal admin credentials and configuration data, potentially compromising the entire network and exposing sensitive information.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the router itself, though credentials would still be exposed.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires simple HTTP requests to specific endpoints; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

Check Wavlink website for firmware updates. If available, download and install via router admin interface.

🔧 Temporary Workarounds

Block External Access

all

Disable WAN access to router admin interface

Configure firewall to block incoming connections to router IP on ports 80/443

Change Admin Credentials

all

Change router admin password immediately

Login to router admin interface and change admin password

🧯 If You Can't Patch

  • Replace affected router with a different model
  • Isolate router in separate VLAN with strict access controls

🔍 How to Verify

Check if Vulnerable:

Attempt HTTP GET request to router IP at /cgi-bin/ExportAllSettings.sh endpoint without authentication

Check Version:

Check router web interface or use nmap to identify firmware version

Verify Fix Applied:

Verify same request returns authentication error or 404 after firmware update

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated requests to /cgi-bin/ExportAllSettings.sh
  • Multiple failed login attempts followed by successful access

Network Indicators:

  • Unusual outbound traffic from router
  • External IP accessing router admin interface

SIEM Query:

source_ip="router_ip" AND (url_path="/cgi-bin/ExportAllSettings.sh" OR url_path="/cgi-bin/ExportLogs.sh")

📊 Metadata

CVE ID: CVE-2022-48166
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-862
Published: February 6, 2023
Last Updated: March 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-48166, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)