CVE-2020-10973

Name of the Vulnerable Software and Affected Versions Wavlink WN530HG4 Wavlink WN531G3 Wavlink WN533A8 Wavlink WN551K1 Wavlink WL-WN530HG4 version M30HG4.V5030.191116

Description An issue was discovered affecting the /cgi-bin/ExportAllSettings.sh endpoint, where a crafted POST request can return the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available.

Recommendations For Wavlink WN530HG4, consider disabling access to the /cgi-bin/ExportAllSettings.sh endpoint until a patch is available. For Wavlink WN531G3, restrict access to the /cgi-bin/ExportAllSettings.sh endpoint to minimize the risk of exploitation. For Wavlink WN533A8, avoid using the /cgi-bin/ExportAllSettings.sh endpoint until the issue is resolved. For Wavlink WN551K1, consider implementing additional authentication measures for the /cgi-bin/ExportAllSettings.sh endpoint as a temporary workaround. For Wavlink WL-WN530HG4 version M30HG4.V5030.191116, restrict access to the /cgi-bin/ExportALLSettings.sh endpoint to minimize the risk of exploitation.