Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

0x01 Vulnerability description

an issue was discovered on WAVLINK WN535 G3 devices,Firmware package version M35G3R.V5030.180927,where a crafted POST request can be sent to adm.cgi that will result in the execution of the supplied command if there is an active session at the same time

0x02 Affected version

WAVLINK WN535 G3

0x03 Vulnerability

In adm.cgi, the received POST is directly spliced to the system function for execution

image-20220520115840075

image-20220520115621788

0x04 PoC verification

image-20220624111414578

0x05 Acknowledgement

PeiWen.Huang