CVE-2020-12124

Vulnerability

A remote command-line injection vulnerability exists in the /cgi-bin/live_api.cgi endpoint of the WAVLINK WN530H4 router running firmware version M30H4.V5030.190403 [1]. The endpoint does not properly sanitize user input, allowing an attacker to inject arbitrary operating system commands. No authentication is required to reach this endpoint.

Exploitation

An attacker with network access to the router can send a crafted HTTP request to http:///cgi-bin/live_api.cgi with malicious input in the query string or POST parameters. The injected commands are executed by the underlying Linux shell without any privilege escalation step because the CGI process runs as root.

Impact

Successful exploitation allows the attacker to execute arbitrary Linux commands as the root user, resulting in complete compromise of the device. This includes the ability to modify system configuration, exfiltrate data, install persistent backdoors, or use the device as a pivot point for further network attacks.

Mitigation

As of the publication date (2020-10-02), no firmware update or patch is available from WAVLINK to address this vulnerability [1]. The device may be end-of-life. Users are advised to isolate the router from untrusted networks, place it behind a firewall, or replace it with a supported device. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.