CVE-2020-10971

Vulnerability

An issue exists in Wavlink Jetstream devices where the adm.cgi endpoint does not validate that a POST request originates from an active session. As a result, an attacker can send a crafted POST request containing a command that will be executed if there is any active session at the time. This affects multiple Wavlink models including WN530HG4, WN575A3, WN579G3, WN531G3, WN533A8, WN531A6, WN551K1, WN535G3, WN530H4, WN57X93, WN572HG3, WN578A2, WN579G3, WN579X3, and Jetstream AC3000/ERAC3000 [1][3].

Exploitation

An attacker can exploit this by sending a HTTP POST request to adm.cgi with a crafted payload. The request is not validated to ensure it comes from the active session, so the attacker only needs to time the request during an active session (e.g., an administrator is logged in). No authentication or prior access to the device is required beyond network reachability.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the device, likely with root privileges, leading to full compromise of the device. This can result in data exfiltration, denial of service, or use of the device as a pivot point in further attacks.

Mitigation

As of the publication date (2020-05-07), no official patch or firmware update has been released by Wavlink. Users should consider upgrading to a different, actively-maintained device or implementing network-level controls such as restricting access to the administration interface. The vendor has not provided a fix, and some affected devices may be end-of-life.