CVE-2025-11045
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary commands on WAYOS LQ series devices by manipulating the Name parameter in the /usb_paswd.asp file. Attackers can gain unauthorized access and control over affected devices. Organizations using WAYOS LQ_04, LQ_05, LQ_06, LQ_07, or LQ_09 devices with version 22.03.17 are affected.
💻 Affected Systems
- WAYOS LQ_04
- WAYOS LQ_05
- WAYOS LQ_06
- WAYOS LQ_07
- WAYOS LQ_09
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal data, pivot to internal networks, or render devices inoperable.
Likely Case
Unauthorized access leading to data theft, device hijacking for botnets, or disruption of network services.
If Mitigated
Limited impact if devices are isolated, monitored, and have restricted network access.
🎯 Exploit Status
Public exploit details are available, making this easy for attackers to weaponize. No authentication required for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Monitor vendor website for updates. Consider replacing affected devices if no patch becomes available.
🔧 Temporary Workarounds
Network Isolation
allIsolate affected devices from internet and restrict network access to trusted IPs only.
Access Control
allImplement strict firewall rules to block access to port 80/443 and the /usb_paswd.asp endpoint.
🧯 If You Can't Patch
- Immediately remove affected devices from internet-facing positions
- Implement network segmentation and monitor for suspicious traffic to/from these devices
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or CLI. If version is 22.03.17, device is vulnerable.Check Version:
Check via web interface at http://device-ip/ or consult device documentation for CLI version check.Verify Fix Applied:
No fix available to verify. Monitor vendor for updates.📡 Detection & Monitoring
Log Indicators:
- Unusual access to /usb_paswd.asp
- Suspicious command execution in system logs
- Multiple failed login attempts
Network Indicators:
- Unexpected outbound connections from device
- Traffic to known malicious IPs
- Unusual port scanning from device
SIEM Query:
source_ip="device_ip" AND (url_path="/usb_paswd.asp" OR command="*cmd*" OR command="*sh*")🔗 References
- https://vuldb.com/?ctiid.326082
- https://vuldb.com/?id.326082
- https://vuldb.com/?submit.658913
- https://vuldb.com/?submit.661153
- https://vuldb.com/?submit.661168
- https://vuldb.com/?submit.661177
- https://vuldb.com/?submit.661178
- https://www.yuque.com/yuqueyonghuexlgkz/zepczx/ogyduynf84q89x99?singleDoc
- https://www.yuque.com/yuqueyonghuexlgkz/zepczx/py3shgm1z88g9xp2?singleDoc
- https://www.yuque.com/yuqueyonghuexlgkz/zepczx/ogyduynf84q89x99?singleDoc
- https://www.yuque.com/yuqueyonghuexlgkz/zepczx/py3shgm1z88g9xp2?singleDoc
