CVE-2020-10972

Vulnerability

CVE-2020-10972 affects Wavlink WN530HG4, WN531G3, and WN572HG3 routers. An unauthenticated live status page (e.g., live_?.shtml) includes the variable syspasswd in its HTML source, which holds the current administrator password in cleartext [1][2][3]. No authentication is required to access this page; an attacker can simply retrieve the password directly from the page's source code [1].

Exploitation

An attacker with network access to the router's web interface can request the live_?.shtml page without any credentials [1][2]. By viewing the page source, the attacker obtains the administrator's password stored in the syspasswd variable [1][3]. No user interaction or race condition is needed [1]. This allows the attacker to then authenticate to the router's management interface as the administrator [3].

Impact

Successful exploitation results in full compromise of the router's administrative account [1][3]. The attacker gains the ability to change configuration, intercept network traffic, modify DNS settings, or install malicious firmware, leading to a complete loss of confidentiality, integrity, and availability of the device and potentially the connected network [3].

Mitigation

No official patch has been released by Wavlink for these models [2]. As of the publication date (May 2020), the devices remain vulnerable [1][2]. The only reliable mitigation is to replace the affected routers with models that do not expose credentials in this manner or to restrict network access to the router's web interface using network segmentation/firewall rules [2]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.