CVE-2020-12266
Description
An issue was discovered where there are multiple externally accessible pages that do not require any sort of authentication, and store system information for internal usage. The devices automatically query these pages to update dashboards and other statistics, but the pages can be accessed externally without any authentication. All the pages follow the naming convention live_(string).shtml. Among the information disclosed is: interface status logs, IP address of the device, MAC address of the device, model and current firmware version, location, all running processes, all interfaces and their statuses, all current DHCP leases and the associated hostnames, all other wireless networks in range of the router, memory statistics, and components of the configuration of the device such as enabled features. Affected devices: Affected devices are: Wavlink WN530HG4, Wavlink WN575A3, Wavlink WN579G3,Wavlink WN531G3, Wavlink WN533A8, Wavlink WN531A6, Wavlink WN551K1, Wavlink WN535G3, Wavlink WN530H4, Wavlink WN57X93, WN572HG3, Wavlink WN578A2, Wavlink WN579G3, Wavlink WN579X3, and Jetstream AC3000/ERAC3000
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated access to live_(string).shtml pages on multiple Wavlink routers and Jetstream AC3000 exposes sensitive device configuration and network data.
Vulnerability
Multiple Wavlink router models (WN530HG4, WN575A3, WN579G3, WN531G3, WN533A8, WN531A6, WN551K1, WN535G3, WN530H4, WN57X93, WN572HG3, WN578A2, WN579G3, WN579X3) and the Jetstream AC3000/ERAC3000 expose a set of pages following the naming convention live_(string).shtml that require no authentication to access [1][2]. These pages are designed for internal dashboard updates but are reachable from the external network without any login or session token. The vulnerability affects firmware versions confirmed by the researcher, though exact version numbers are not disclosed in the available references [1][2].
Exploitation
An unauthenticated attacker with network access (either from the Internet if the router is exposed, or from the local LAN) can directly request any live_(string).shtml endpoint on the device [2]. No authentication, no previous user interaction, and no special privileges are required. The attacker simply navigates to the router's IP address followed by the known page name (e.g., http:///live_status.shtml) to retrieve the sensitive data [2].
Impact
Successful exploitation reveals a broad range of device and network information [2]: interface status logs, the device IP and MAC addresses, model name and current firmware version, physical location (likely configured by the administrator), list of running processes, all interfaces and their statuses, active DHCP leases with associated hostnames, all visible wireless networks, memory statistics, and components of the running configuration (such as enabled features). This information disclosure aids network reconnaissance and can be used to tailor further attacks against the router or the internal network.
Mitigation
As of the publication date and the available references, no official firmware patch from Wavlink or Jetstream has been identified [4]. The vendor's website [4] does not list any security advisory addressing this issue. Until a fix is released, the only workaround is to restrict external access to the router's web interface (e.g., by not exposing it to the Internet, using a firewall to block inbound requests to the management interface, or placing the device behind a VPN). There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Wavlink/WN530HG4description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-12266mitrex_refsource_MISC
- github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-12266-affected_devicesmitrex_refsource_MISC
- www.wavlink.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.