CVE-2024-10428 in WN530H4
Summary
by MITRE • 10/27/2024
A vulnerability was found in WAVLINK WN530H4, WN530HG4 and WN572HG3 up to 20221028. It has been rated as critical. This issue affects the function set_ipv6 of the file firewall.cgi. The manipulation of the argument dhcpGateway leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/14/2024
The vulnerability identified as CVE-2024-10428 represents a critical command injection flaw affecting WAVLINK wireless routers including models WN530H4, WN530HG4, and WN572HG3 with firmware versions up to 20221028. This security weakness resides within the firewall.cgi script's set_ipv6 function where the dhcpGateway parameter is improperly handled. The flaw enables attackers to execute arbitrary commands on the affected devices by manipulating the dhcpGateway argument, creating a significant risk for network security and device integrity.
The technical implementation of this vulnerability demonstrates a classic command injection vulnerability classified under CWE-77, where user-supplied input is directly incorporated into system commands without proper sanitization or validation. The attack vector is particularly concerning as it can be initiated remotely, eliminating the need for physical access to the device. The exploitation occurs through the web interface of the router, making it accessible to anyone with network connectivity to the device. This remote attack capability significantly expands the potential impact and attack surface for malicious actors.
From an operational perspective, this vulnerability poses severe risks to network infrastructure and security posture. Successful exploitation allows attackers to gain unauthorized access to the router's command execution environment, potentially enabling full device compromise, network reconnaissance, and lateral movement within the affected network. The fact that this exploit has been publicly disclosed and is actively being used increases the urgency for remediation. The vendor's lack of response to early disclosure attempts compounds the issue, leaving users without official patches or mitigation guidance during an active threat period.
Organizations and individuals utilizing these affected WAVLINK router models should immediately implement mitigations including network segmentation, firewall rules blocking access to the vulnerable web interface, and network monitoring for suspicious activity. The recommended approach involves disabling unnecessary services, implementing strong authentication mechanisms, and deploying intrusion detection systems to monitor for exploitation attempts. Additionally, users should consider upgrading to firmware versions that address this vulnerability, though the lack of vendor response suggests this may not be immediately available. The vulnerability also highlights the importance of firmware security updates and vendor accountability in maintaining network security. This issue aligns with ATT&CK technique T1059.001 for command and scripting interpreter, where adversaries execute commands through compromised devices, and T1046 for network service discovery, as the compromised router could be used for further network reconnaissance activities.