cbcvebase.
CVE-2020-10973
published 2020-05-07

CVE-2020-10973: An issue was discovered in Wavlink WN530HG4, Wavlink WN531G3, Wavlink WN533A8, and Wavlink WN551K1 affecting /cgi-bin/ExportAllSettings.sh where a crafted POST…

PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
7.76%
93.9th percentile
An issue was discovered in Wavlink WN530HG4, Wavlink WN531G3, Wavlink WN533A8, and Wavlink WN551K1 affecting /cgi-bin/ExportAllSettings.sh where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available.

Affected

1 ranges
VendorProductVersion rangeFixed in
wavlinkwn530hg4_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/ExportAllSettings.sh
path/backupsettings.dat
bytes
Salted__
  • Send a GET request to /backupsettings.dat; a vulnerable device responds with HTTP 200, Content-Type: application/octet-stream, and a body beginning with the OpenSSL-salted magic bytes 'Salted__'.
  • Match response body for the string 'Salted__' AND response header for 'application/octet-stream' AND HTTP status 200 to confirm exploitation of the unauthenticated config-export endpoint.
  • Shodan/FOFA fingerprinting: identify exposed Wavlink devices via HTML body keywords 'Wavlink' or 'wavlink' before probing the vulnerable endpoint.
  • No authentication is required to exploit this vulnerability; any unauthenticated POST/GET to /cgi-bin/ExportAllSettings.sh or /backupsettings.dat on affected Wavlink devices (WN530HG4, WN531G3, WN533A8, WN551K1) should be treated as malicious.
  • ·The exported configuration file is OpenSSL-encrypted (salted), but all decryption material is embedded in the device firmware and is publicly available, making the encryption trivially bypassable.
  • ·The Nuclei template targets firmware version m30hg4.v5030.191116 as a confirmed affected CPE; other listed models (WN531G3, WN533A8, WN551K1) are also affected but may present the endpoint differently.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.