CVE-2025-10358
📋 TL;DR
This CVE describes a remote command injection vulnerability in Wavlink WL-WN578W2 routers. Attackers can execute arbitrary operating system commands by manipulating the delete_list parameter in the wireless.cgi endpoint. All users of affected Wavlink router models are at risk.
💻 Affected Systems
- Wavlink WL-WN578W2
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attacker to install persistent backdoors, pivot to internal networks, steal credentials, or use device as botnet node.
Likely Case
Remote code execution leading to device takeover, network traffic interception, or denial of service.
If Mitigated
No impact if device is behind firewall with no internet exposure and proper network segmentation.
🎯 Exploit Status
Public proof-of-concept available showing command injection via delete_list parameter manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: Yes
Instructions:
No official patch available. Contact Wavlink support for firmware updates. Consider replacing affected devices if no patch is forthcoming.
🔧 Temporary Workarounds
Network Access Control
linuxBlock external access to router web interface and restrict internal access to trusted IPs only.
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
CGI Script Disable
linuxDisable or remove the vulnerable wireless.cgi script if router functionality allows.
rm /cgi-bin/wireless.cgi
🧯 If You Can't Patch
- Isolate affected routers in separate VLAN with strict firewall rules preventing outbound connections
- Implement network monitoring for unusual traffic patterns from router devices
🔍 How to Verify
Check if Vulnerable:
Check if device responds to crafted requests to /cgi-bin/wireless.cgi with delete_list parameter containing command injection payloads.Check Version:
Check router web interface or use nmap banner grabbing: nmap -sV -p 80,443 ROUTER_IPVerify Fix Applied:
Test if command injection attempts via delete_list parameter are properly sanitized or blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual CGI script executions
- Suspicious commands in web server logs
- Multiple failed authentication attempts to wireless.cgi
Network Indicators:
- Unusual outbound connections from router
- Traffic to known malicious IPs from router
- Port scanning originating from router
SIEM Query:
source="router_logs" AND (uri="/cgi-bin/wireless.cgi" AND (query="*delete_list*" OR query="*;*" OR query="*|*" OR query="*`*"))🔗 References
- https://github.com/ZZ2266/.github.io/tree/main/WAVLINK/WL-WN578W2/wireless.cgi/DeleteMac
- https://github.com/ZZ2266/.github.io/tree/main/WAVLINK/WL-WN578W2/wireless.cgi/DeleteMac#proof-of-concept-poc
- https://vuldb.com/?ctiid.323772
- https://vuldb.com/?id.323772
- https://vuldb.com/?submit.643438
- https://github.com/ZZ2266/.github.io/tree/main/WAVLINK/WL-WN578W2/wireless.cgi/DeleteMac
- https://github.com/ZZ2266/.github.io/tree/main/WAVLINK/WL-WN578W2/wireless.cgi/DeleteMac#proof-of-concept-poc
