CVE-2020-10973

Vulnerability

The vulnerability resides in the /cgi-bin/ExportAllSettings.sh endpoint on Wavlink WN530HG4, WN531G3, WN533A8, and WN551K1 devices. A crafted POST request without authentication returns the full device configuration, including the administrator password. The password is encrypted but all decryption information is readily available [1][2][3].

Exploitation

An attacker with network access to the device can send an unauthenticated POST request to /cgi-bin/ExportAllSettings.sh. The response contains the configuration file, which includes the encrypted admin password. The attacker can then decrypt the password using publicly known methods, as the decryption key and algorithm are easily obtainable [1][2].

Impact

Successful exploitation allows an attacker to obtain the administrator password, leading to full administrative control over the affected Wavlink router. This can result in complete compromise of the device, including modification of settings, interception of network traffic, and potential lateral movement within the network [1][2][3].

Mitigation

As of the publication date (2020-05-07), no official patch has been released by Wavlink. Users are advised to restrict network access to the device's web interface, disable remote management if not needed, and monitor for firmware updates. The affected devices may be end-of-life; consider replacing them with supported hardware [1][2][3].