CVE-2025-44868

Vulnerability

The Wavlink WL-WN530H4 router running firmware version 20220801 contains a command injection vulnerability in the ping_test function of /cgi-bin/adm.cgi. The pingIp parameter is not properly sanitized, allowing an unauthenticated remote attacker to inject arbitrary shell commands. The vulnerability is reachable via a crafted HTTP POST request to the endpoint [1].

Exploitation

An attacker with network access to the device can exploit this vulnerability by sending a POST request to /cgi-bin/adm.cgi with parameters including page=ping_test, CCMD=4, and a malicious pingIp value containing command injection payloads (e.g., 1;pwd;). No authentication is required, as the vulnerable endpoint is exposed without proper access controls [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with root privileges on the router. This can lead to complete device compromise, including unauthorized access to network traffic, modification of device settings, and use of the device as a pivot for further attacks on internal networks [1].

Mitigation

As of the publication date, no official patch or firmware update has been released by Wavlink to address this vulnerability. Users should restrict remote access to the device's management interface, monitor for suspicious activity, and contact the vendor for a fix. If possible, isolate the device from untrusted networks until a patch is available [1].