Login Sign Up

CVE-2023-29708

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to force a factory reset on WavLink WavRouter devices via a crafted payload sent to the /cgi-bin/adm.cgi endpoint. Attackers can remotely restore devices to default settings, disrupting network connectivity and potentially enabling further attacks. This affects WavLink WavRouter RPT70HA1.x devices exposed to untrusted networks.

💻 Affected Systems

Products:
  • WavLink WavRouter
Versions: RPT70HA1.x
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices with web interface enabled. No authentication required for exploitation.

📦 What is this software?

Wavrouter App by Wavlink

View all CVEs affecting Wavrouter App →

Wavrouter App by Wavlink

View all CVEs affecting Wavrouter App →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network disruption, loss of configuration, potential credential exposure, and enabling of follow-on attacks after reset.

🟠

Likely Case

Network downtime, service disruption, and need for manual reconfiguration of affected devices.

🟢

If Mitigated

Limited to isolated lab environments or properly segmented networks with no internet exposure.

🌐 Internet-Facing: HIGH - Directly exploitable over HTTP without authentication if device is internet-facing.
🏢 Internal Only: MEDIUM - Requires internal network access but still exploitable without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP POST request to vulnerable endpoint. Proof-of-concept code available in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Check WavLink website for firmware updates. If update exists, download and apply through web interface.

🔧 Temporary Workarounds

Disable web interface

all

Disable the router's web management interface if not required for operations.

Network segmentation

all

Place affected routers in isolated network segments with strict access controls.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate affected devices from untrusted networks
  • Deploy network-based intrusion detection to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check device model and firmware version via web interface or SSH. If running RPT70HA1.x firmware, assume vulnerable.

Check Version:

Check web interface status page or use SSH command if available: cat /proc/version

Verify Fix Applied:

No official fix available. Monitor for firmware updates from vendor.

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /cgi-bin/adm.cgi with reset parameters
  • Unexpected factory reset events in system logs

Network Indicators:

  • HTTP traffic to router on port 80/443 containing reset payloads
  • Sudden loss of connectivity from router

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/adm.cgi" OR message="factory reset")

📊 Metadata

CVE ID: CVE-2023-29708
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-863
Published: June 22, 2023
Last Updated: December 6, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29708, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)