Login Sign Up

CVE-2025-10321

5.3 MEDIUM

📋 TL;DR

This vulnerability in Wavlink WL-WN578W2 routers allows remote attackers to access sensitive information through the /live_online.shtml file. The flaw enables information disclosure without authentication, affecting users of this specific router model. Attackers can exploit this remotely to potentially gather system or network data.

💻 Affected Systems

Products:
  • Wavlink WL-WN578W2
Versions: 221110
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects this specific model and firmware version. Devices with default configurations are vulnerable.

📦 What is this software?

Wl Wn578w2 Firmware by Wavlink

View all CVEs affecting Wl Wn578w2 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain sensitive router configuration data, network topology information, or credentials that could lead to further network compromise.

🟠

Likely Case

Unauthorized access to system information or configuration details that could aid in reconnaissance for additional attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub. Remote exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: UNKNOWN

Vendor Advisory: NONE

Restart Required: No

Instructions:

No official patch available. Vendor has not responded to disclosure. Consider replacing affected devices or implementing workarounds.

🔧 Temporary Workarounds

Block External Access

all

Prevent external access to router administration interface

Configure firewall to block WAN access to router management ports (typically 80, 443, 8080)

Disable Vulnerable Feature

all

Disable or restrict access to the live_online.shtml functionality if possible

Check router settings for live monitoring features and disable them

🧯 If You Can't Patch

  • Segment affected routers on isolated network segments
  • Implement strict network access controls and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Access http://[router-ip]/live_online.shtml from network. If accessible without authentication and returns sensitive information, device is vulnerable.

Check Version:

Check router web interface or use command: telnet [router-ip] 80, then GET / HTTP/1.0 to view version headers

Verify Fix Applied:

Attempt to access the vulnerable endpoint after implementing workarounds. Should return access denied or not found.

📡 Detection & Monitoring

Log Indicators:

  • HTTP GET requests to /live_online.shtml from unauthorized sources
  • Unusual access patterns to router management interface

Network Indicators:

  • External IP addresses accessing router management ports
  • Traffic to /live_online.shtml from unexpected sources

SIEM Query:

source_ip NOT IN (trusted_networks) AND (url_path CONTAINS 'live_online.shtml' OR dest_port IN (80, 443, 8080))

📊 Metadata

CVE ID: CVE-2025-10321
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200
EPSS Score: 0.03% exploit probability (8.3th percentile)
Published: September 12, 2025
Last Updated: October 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10321, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)