| Title | https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in- WN530H4 (AC1200 Dual-Band Wi-Fi Router) Firmware: WN530H4-WAVLINK_20220721 Improper Neutralization of Special Elements used in an OS Comman |
|---|
| Description | A critical OS command injection vulnerability was identified in WAVLINK WN530H4
router firmware version WN530H4-WAVLINK_20220721. The vulnerability exists in
the set_add_routing function of /cgi-bin/internet.cgi.
The function processes HTTP POST parameters (dest, netmask, gateway,
custom_interface, etc.) for static routing configuration. User-supplied values
are concatenated directly into a shell command string using strcat() and
snprintf() without any input sanitization or validation. The resulting command
is then passed to popen() for execution with root privileges.
An authenticated attacker can inject arbitrary OS commands by including shell
metacharacters (e.g., semicolons) in any of the affected parameters, achieving
remote code execution as root.
This vulnerability is a recurring instance of CVE-2024-39762 through
CVE-2024-39765 (TALOS-2024-2020), which were originally discovered in the
WAVLINK AC3000 (WN533A8) by Cisco Talos. The WN530H4 shares the same
vulnerable codebase but was NOT listed as an affected product in the original
CVE advisories.
POST /cgi-bin/internet.cgi HTTP/1.1
Host: 192.168.10.1
Content-Type: application/x-www-form-urlencoded
Cookie: session=<valid_session>
page=addrouting&dest=;id&hostnet=host&netmask=x.x.x.x&gateway=;id&interface=WAN&custom_interface=&comment=test
The injected payload `; id` causes the following shell command to be executed:
route add -host ;id netmask x.x.x.x gw ;id dev eth2.2 2>&1
Independently discovered and verified by Zhizhong Duan using FirmRec
automated symbolic execution engine. The same vulnerability pattern was
originally reported by Cisco Talos for the AC3000 model.
|
|---|
| Source | ⚠️ https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/vuldb_submission_report.md |
|---|
| User | ST4R (UID 96634) |
|---|
| Submission | 03/19/2026 17:01 (29 days ago) |
|---|
| Moderation | 04/17/2026 07:35 (29 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 358021 [Wavlink WL-WN530H4 20220721 /cgi-bin/internet.cgi strcat/snprintf os command injection] |
|---|
| Points | 20 |
|---|