CVE-2022-40621

Name of the Vulnerable Software and Affected Versions WAVLINK Quantum D4G (WN531G3) versions M31G3.V5030.200325 and earlier

Description The issue arises because the WAVLINK Quantum D4G (WN531G3) communicates over HTTP instead of HTTPS, and its hashing mechanism does not rely on a server-supplied key. This allows an attacker with sufficient network access to capture the hashed password of a logged-on user and use it in a classic Pass-the-Hash style attack.

Recommendations For WAVLINK Quantum D4G (WN531G3) versions M31G3.V5030.200325 and earlier, consider disabling HTTP communication and implementing HTTPS to encrypt data in transit. Additionally, restrict network access to minimize the risk of exploitation. As a temporary workaround, consider implementing an alternative authentication mechanism that relies on a server-supplied key until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.