CVE-2025-50755 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2025-50755?

CVE-2025-50755 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows attackers to execute arbitrary commands on Wavlink WN535K3 routers by sending specially crafted requests to the set_sys_cmd function. Attackers can potentially take full control of affected devices, install malware, or pivot to other network systems. Only users of specific Wavlink router models with vulnerable firmware are affected.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary commands on Wavlink WN535K3 routers by sending specially crafted requests to the set_sys_cmd function. Attackers can potentially take full control of affected devices, install malware, or pivot to other network systems. Only users of specific Wavlink router models with vulnerable firmware are affected.

💻 Affected Systems

Products:

Wavlink WN535K3

Versions: Firmware version 20191010

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the vulnerable firmware version are affected regardless of configuration.

📦 What is this software?

Wl Wn535k3 Firmware by Wavlink

View all CVEs affecting Wl Wn535k3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network pivoting to internal systems, data exfiltration, and use in botnets or ransomware attacks.

🟠

Likely Case

Router compromise allowing traffic interception, DNS hijacking, credential theft, and use as a foothold for further network attacks.

🟢

If Mitigated

Limited impact if device is behind firewall with strict inbound rules, has network segmentation, and regular monitoring for suspicious activity.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them prime targets for remote exploitation without network access requirements.

🏢 Internal Only: MEDIUM - If exploited internally, could still compromise the router but requires attacker to have network access first.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Proof of concept available in GitHub repository. Exploitation requires sending crafted HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Wavlink support for updated firmware

Vendor Advisory: Not publicly available - contact Wavlink support

Restart Required: Yes

Instructions:

1. Contact Wavlink support for latest firmware. 2. Download firmware update. 3. Access router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Network Access Restriction

all

Block external access to router admin interface using firewall rules

Disable Remote Management

all

Turn off remote administration features in router settings

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Implement network monitoring for suspicious HTTP requests to router admin interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or Firmware Update section

Check Version:

Check via router web interface or SSH if enabled: cat /proc/version or similar firmware version file

Verify Fix Applied:

Verify firmware version has been updated to a version later than 20191010

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to router admin endpoints
Commands containing shell metacharacters in request parameters
Multiple failed authentication attempts followed by successful command execution

Network Indicators:

HTTP traffic to router on admin ports from unexpected sources
Outbound connections from router to suspicious IPs
Unusual DNS queries from router

SIEM Query:

source="router_logs" AND (uri="*set_sys_cmd*" OR command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")

📊 Metadata

CVE ID: CVE-2025-50755

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-77

EPSS Score: 6.39% exploit probability (90.8th percentile)

Published: September 2, 2025

Last Updated: September 4, 2025

🔗 References

https://github.com/Summermu/VulnForIoT/tree/main/Wavlink_WN535K3/set_sys_cmd/readme.md Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-50755, you might also want to check these: