CVE-2025-55847 in M86X3Ainfo

Summary

by MITRE • 09/26/2025

Wavlink M86X3A_V240730 contains a buffer overflow vulnerability in the /cgi-bin/ExportAllSettings.cgi file. The vulnerability arises because the Cookie parameter does not properly validate the length of input data. Attackers can exploit this to execute arbitrary code or cause a denial of service (DoS) on the system

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/27/2025

The CVE-2025-55847 vulnerability represents a critical buffer overflow flaw within the Wavlink M86X3A_V240730 network device firmware, specifically manifesting in the /cgi-bin/ExportAllSettings.cgi web interface component. This vulnerability stems from inadequate input validation mechanisms within the Cookie parameter processing logic, creating a pathway for malicious actors to manipulate system memory through crafted HTTP requests. The flaw exists in the device's web server implementation where user-supplied cookie data is directly copied into a fixed-size buffer without proper bounds checking, violating fundamental security principles of input sanitization and memory safety. The vulnerability falls under CWE-121, which categorizes buffer overflow conditions where insufficient bounds checking allows attackers to overwrite adjacent memory locations, potentially leading to arbitrary code execution or system instability.

The operational impact of this vulnerability extends beyond simple denial of service scenarios, as it enables remote code execution capabilities that could allow attackers to fully compromise the affected device. When an attacker submits a maliciously crafted Cookie header containing excessive data, the buffer overflow can overwrite critical program execution flow control structures, potentially allowing code injection attacks. This vulnerability directly maps to ATT&CK technique T1210, which describes the exploitation of remote services through buffer overflow techniques, and T1059, which covers command and scripting interpreter usage for code execution. The device's web interface becomes a primary attack vector where legitimate administrative functionality is leveraged to deliver malicious payloads, making the exploitation particularly stealthy and effective.

The exploitation of this vulnerability requires minimal prerequisites, as it operates over standard HTTP protocols without requiring authentication for the specific endpoint, though administrative access might be needed for certain payload execution scenarios. The buffer overflow can be triggered through a simple HTTP request containing an oversized Cookie parameter, potentially causing immediate system crashes or more sophisticated attacks where the attacker gains persistent access to the device's command execution environment. Network traffic analysis reveals that the vulnerability can be exploited through standard web browser interactions or automated scanning tools, making it particularly dangerous in environments where such devices are exposed to untrusted networks. Security professionals should consider this vulnerability as a high-priority threat requiring immediate remediation, as it represents a classic remote code execution vector that could enable attackers to establish persistent backdoors, exfiltrate sensitive configuration data, or use the compromised device as a launch point for broader network attacks against adjacent systems. The affected firmware version indicates this is likely a widespread issue across multiple Wavlink devices within the same product line, emphasizing the need for comprehensive network-wide vulnerability assessment and patch management strategies.

Responsible

MITRE

Reservation

08/16/2025

Disclosure

09/26/2025

Moderation

accepted

CPE

ready

EPSS

0.01904

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!