CVE-2025-10324 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-10324?

CVE-2025-10324 has a CVSS score of 7.3 (HIGH). This CVE describes a command injection vulnerability in Wavlink WL-WN578W2 routers that allows remote attackers to execute arbitrary commands on affected devices. The vulnerability exists in the firewall.cgi component and can be exploited by manipulating specific parameters. All users of the affected router model with the vulnerable firmware are at risk.

📋 TL;DR

This CVE describes a command injection vulnerability in Wavlink WL-WN578W2 routers that allows remote attackers to execute arbitrary commands on affected devices. The vulnerability exists in the firewall.cgi component and can be exploited by manipulating specific parameters. All users of the affected router model with the vulnerable firmware are at risk.

💻 Affected Systems

Products:

Wavlink WL-WN578W2

Versions: Firmware version 221110 (specific to this CVE)

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the firewall.cgi component which is typically enabled by default for remote management functionality.

📦 What is this software?

Wl Wn578w2 Firmware by Wavlink

View all CVEs affecting Wl Wn578w2 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing persistent backdoor installation, network traffic interception, lateral movement to connected devices, and participation in botnets.

🟠

Likely Case

Router takeover enabling DNS hijacking, credential theft from network traffic, and use as pivot point for internal network attacks.

🟢

If Mitigated

Limited impact if router is behind additional firewalls with strict inbound rules and network segmentation is implemented.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and the device is typically internet-facing as a router/gateway.

🏢 Internal Only: MEDIUM - While primarily internet-facing, compromised routers could be used to attack internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details are available in GitHub repositories, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available - vendor did not respond to disclosure

Restart Required: Yes

Instructions:

No official patch available. Consider replacing affected hardware or implementing strict network controls.

🔧 Temporary Workarounds

Disable Remote Management

all

Disable remote management/administration features on the router to prevent external exploitation

Access router admin interface -> Advanced Settings -> Remote Management -> Disable

Restrict WAN Access

all

Configure firewall rules to block all inbound WAN access to router management interface

Access router admin interface -> Firewall -> Add rule blocking port 80/443 from WAN

🧯 If You Can't Patch

Segment network: Place router in isolated VLAN with strict access controls
Implement external firewall: Deploy upstream firewall with strict rules blocking all inbound traffic to router management ports

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 221110, device is vulnerable.

Check Version:

Login to router admin interface and check System Status or Firmware Version page

Verify Fix Applied:

No official fix available. Verify workarounds by testing that remote management is disabled and firewall rules are active.

📡 Detection & Monitoring

Log Indicators:

Unusual firewall.cgi requests with shell metacharacters
Multiple failed login attempts followed by successful access
Unexpected process execution in router logs

Network Indicators:

Unusual outbound connections from router to unknown IPs
DNS queries to suspicious domains from router
Port scanning originating from router

SIEM Query:

source="router" AND (uri="*firewall.cgi*" AND (param="*pingFrmWANFilterEnabled*" OR param="*blockSynFloodEnabled*" OR param="*blockPortScanEnabled*" OR param="*remoteManagementEnabled*") AND param="*;*" OR param="*|*" OR param="*`*" OR param="*$(*")

📊 Metadata

CVE ID: CVE-2025-10324

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.15% exploit probability (34.9th percentile)

Published: September 12, 2025

Last Updated: October 2, 2025

🔗 References

https://github.com/ZZ2266/.github.io/tree/main/WAVLINK/WL-WN578W2/firewall.cgi/websSysFirewall Exploit,Third Party Advisory
https://vuldb.com/?ctiid.323750 Permissions Required,VDB Entry
https://vuldb.com/?id.323750 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.643435 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10324, you might also want to check these: