Sign-up

ID

VAR-202509-1429


CVE

CVE-2025-10358


TITLE

WAVLINK  of  WL-WN578W2  in the firmware  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2025-015087

DESCRIPTION

A security vulnerability has been detected in Wavlink WL-WN578W2 221110. This affects the function sub_404850 of the file /cgi-bin/wireless.cgi. The manipulation of the argument delete_list leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. WAVLINK of WL-WN578W2 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Wavlink WL-WN578W2 is a wireless repeater manufactured by Wavlink, a Chinese company. This vulnerability stems from the failure of the delete_list parameter of the sub_404850 function in the /cgi-bin/wireless.cgi file to properly sanitize special characters and commands when constructing commands. An attacker could exploit this vulnerability to execute arbitrary commands

Trust: 2.16

sources: NVD: CVE-2025-10358 // JVNDB: JVNDB-2025-015087 // CNVD: CNVD-2025-22097

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2025-22097

AFFECTED PRODUCTS

vendor:wavlinkmodel:wl-wn578w2scope:eqversion:m78w2_v221110

Trust: 1.0

vendor:wavlinkmodel:wl-wn578w2scope:eqversion: -

Trust: 0.8

vendor:wavlinkmodel:wl-wn578w2scope:eqversion:wl-wn578w2 firmware m78w2 v221110

Trust: 0.8

vendor:wavlinkmodel:wl-wn578w2scope: - version: -

Trust: 0.8

vendor:wavlinkmodel:wl-wn578w2scope:eqversion:221110

Trust: 0.6

sources: CNVD: CNVD-2025-22097 // JVNDB: JVNDB-2025-015087 // NVD: CVE-2025-10358

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com: CVE-2025-10358
value: MEDIUM

Trust: 1.0

nvd@nist.gov: CVE-2025-10358
value: CRITICAL

Trust: 1.0

OTHER: JVNDB-2025-015087
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2025-22097
value: HIGH

Trust: 0.6

cna@vuldb.com: CVE-2025-10358
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

OTHER: JVNDB-2025-015087
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2025-22097
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

cna@vuldb.com: CVE-2025-10358
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 3.4
version: 3.1

Trust: 1.0

nvd@nist.gov: CVE-2025-10358
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2025-015087
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2025-22097 // JVNDB: JVNDB-2025-015087 // NVD: CVE-2025-10358 // NVD: CVE-2025-10358

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.0

problemtype:CWE-78

Trust: 1.0

problemtype:Command injection (CWE-77) [ others ]

Trust: 0.8

problemtype:OS Command injection (CWE-78) [ others ]

Trust: 0.8

problemtype:OS Command injection (CWE-78) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2025-015087 // NVD: CVE-2025-10358

EXTERNAL IDS

db:NVDid:CVE-2025-10358

Trust: 3.2

db:VULDBid:323772

Trust: 1.8

db:JVNDBid:JVNDB-2025-015087

Trust: 0.8

db:CNVDid:CNVD-2025-22097

Trust: 0.6

sources: CNVD: CNVD-2025-22097 // JVNDB: JVNDB-2025-015087 // NVD: CVE-2025-10358

REFERENCES

url:https://github.com/zz2266/.github.io/tree/main/wavlink/wl-wn578w2/wireless.cgi/deletemac

Trust: 1.8

url:https://github.com/zz2266/.github.io/tree/main/wavlink/wl-wn578w2/wireless.cgi/deletemac#proof-of-concept-poc

Trust: 1.8

url:https://vuldb.com/?id.323772

Trust: 1.8

url:https://vuldb.com/?submit.643438

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2025-10358

Trust: 1.4

url:https://vuldb.com/?ctiid.323772

Trust: 1.0

sources: CNVD: CNVD-2025-22097 // JVNDB: JVNDB-2025-015087 // NVD: CVE-2025-10358

SOURCES

db:CNVDid:CNVD-2025-22097
db:JVNDBid:JVNDB-2025-015087
db:NVDid:CVE-2025-10358

LAST UPDATE DATE

2025-10-09T23:23:47.330000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2025-22097date:2025-09-19T00:00:00
db:JVNDBid:JVNDB-2025-015087date:2025-10-06T07:31:00
db:NVDid:CVE-2025-10358date:2025-10-02T20:12:32.153

SOURCES RELEASE DATE

db:CNVDid:CNVD-2025-22097date:2025-09-19T00:00:00
db:JVNDBid:JVNDB-2025-015087date:2025-10-06T00:00:00
db:NVDid:CVE-2025-10358date:2025-09-13T08:15:26.673