CVE-2025-10325

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Wavlink WL-WN578W2 version 221110

Description: A vulnerability exists in the Wavlink WL-WN578W2 router. The issue is located in the /cgi-bin/login.cgi file, specifically within the sub 401340/sub 401BA4 function. Manipulation of the ipaddr argument can lead to command injection, allowing for remote attacks. The exploit is publicly available. The vendor was contacted regarding this disclosure but did not respond.

Recommendations: As a temporary workaround, consider restricting access to the /cgi-bin/login.cgi file to minimize the risk of exploitation. Avoid using the ipaddr parameter in the /cgi-bin/login.cgi endpoint until the issue is resolved.

Exploit

Fix

Special Elements Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-77

Related Identifiers

BDU:2025-11324

CVE-2025-10325

Affected Products

Wavlink Wl-Wn578W2

CVE-2025-10325

Weakness Enumeration

Related Identifiers

Affected Products

References · 12