Sign-up

ID

VAR-202509-1467


CVE

CVE-2025-10359


TITLE

WAVLINK  of  WL-WN578W2  Command injection vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-015645

DESCRIPTION

A vulnerability was detected in Wavlink WL-WN578W2 221110. This impacts the function sub_404DBC of the file /cgi-bin/wireless.cgi. The manipulation of the argument macAddr results in os command injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Wavlink WL-WN578W2 is a wireless repeater manufactured by Wavlink, a Chinese company. This vulnerability stems from the failure of the macAddr parameter in the sub_404DBC function in the /cgi-bin/wireless.cgi file to properly sanitize special characters and commands in constructed commands. An attacker could exploit this vulnerability to execute arbitrary commands

Trust: 2.16

sources: NVD: CVE-2025-10359 // JVNDB: JVNDB-2025-015645 // CNVD: CNVD-2025-22098

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2025-22098

AFFECTED PRODUCTS

vendor:wavlinkmodel:wl-wn578w2scope:eqversion:m78w2_v221110

Trust: 1.0

vendor:wavlinkmodel:wl-wn578w2scope:eqversion:wl-wn578w2 firmware m78w2 v221110

Trust: 0.8

vendor:wavlinkmodel:wl-wn578w2scope:eqversion: -

Trust: 0.8

vendor:wavlinkmodel:wl-wn578w2scope: - version: -

Trust: 0.8

vendor:wavlinkmodel:wl-wn578w2scope:eqversion:221110

Trust: 0.6

sources: CNVD: CNVD-2025-22098 // JVNDB: JVNDB-2025-015645 // NVD: CVE-2025-10359

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com: CVE-2025-10359
value: MEDIUM

Trust: 1.0

nvd@nist.gov: CVE-2025-10359
value: CRITICAL

Trust: 1.0

OTHER: JVNDB-2025-015645
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2025-22098
value: HIGH

Trust: 0.6

cna@vuldb.com: CVE-2025-10359
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

OTHER: JVNDB-2025-015645
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2025-22098
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

cna@vuldb.com: CVE-2025-10359
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 3.4
version: 3.1

Trust: 1.0

nvd@nist.gov: CVE-2025-10359
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2025-015645
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2025-22098 // JVNDB: JVNDB-2025-015645 // NVD: CVE-2025-10359 // NVD: CVE-2025-10359

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.0

problemtype:CWE-78

Trust: 1.0

problemtype:Command injection (CWE-77) [ others ]

Trust: 0.8

problemtype:OS Command injection (CWE-78) [ others ]

Trust: 0.8

problemtype:OS Command injection (CWE-78) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2025-015645 // NVD: CVE-2025-10359

EXTERNAL IDS

db:NVDid:CVE-2025-10359

Trust: 3.2

db:VULDBid:323773

Trust: 1.8

db:JVNDBid:JVNDB-2025-015645

Trust: 0.8

db:CNVDid:CNVD-2025-22098

Trust: 0.6

sources: CNVD: CNVD-2025-22098 // JVNDB: JVNDB-2025-015645 // NVD: CVE-2025-10359

REFERENCES

url:https://github.com/zz2266/.github.io/blob/main/wavlink/wl-wn578w2/wireless.cgi/add_mac/

Trust: 1.8

url:https://github.com/zz2266/.github.io/tree/main/wavlink/wl-wn578w2/wireless.cgi/add_mac#proof-of-concept-poc

Trust: 1.8

url:https://vuldb.com/?id.323773

Trust: 1.8

url:https://vuldb.com/?submit.643444

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2025-10359

Trust: 1.4

url:https://vuldb.com/?ctiid.323773

Trust: 1.0

sources: CNVD: CNVD-2025-22098 // JVNDB: JVNDB-2025-015645 // NVD: CVE-2025-10359

SOURCES

db:CNVDid:CNVD-2025-22098
db:JVNDBid:JVNDB-2025-015645
db:NVDid:CVE-2025-10359

LAST UPDATE DATE

2025-10-12T23:01:13.596000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2025-22098date:2025-09-19T00:00:00
db:JVNDBid:JVNDB-2025-015645date:2025-10-10T02:15:00
db:NVDid:CVE-2025-10359date:2025-10-02T20:12:03.467

SOURCES RELEASE DATE

db:CNVDid:CNVD-2025-22098date:2025-09-19T00:00:00
db:JVNDBid:JVNDB-2025-015645date:2025-10-10T00:00:00
db:NVDid:CVE-2025-10359date:2025-09-13T13:15:32.190