CVE-2020-10973
published 2020-05-07CVE-2020-10973: An issue was discovered in Wavlink WN530HG4, Wavlink WN531G3, Wavlink WN533A8, and Wavlink WN551K1 affecting /cgi-bin/ExportAllSettings.sh where a crafted POST…
PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
7.76%
93.9th percentile
An issue was discovered in Wavlink WN530HG4, Wavlink WN531G3, Wavlink WN533A8, and Wavlink WN551K1 affecting /cgi-bin/ExportAllSettings.sh where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wavlink | wn530hg4_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
Salted__
- →Send a GET request to /backupsettings.dat; a vulnerable device responds with HTTP 200, Content-Type: application/octet-stream, and a body beginning with the OpenSSL-salted magic bytes 'Salted__'. ↗
- →Match response body for the string 'Salted__' AND response header for 'application/octet-stream' AND HTTP status 200 to confirm exploitation of the unauthenticated config-export endpoint. ↗
- →Shodan/FOFA fingerprinting: identify exposed Wavlink devices via HTML body keywords 'Wavlink' or 'wavlink' before probing the vulnerable endpoint. ↗
- →No authentication is required to exploit this vulnerability; any unauthenticated POST/GET to /cgi-bin/ExportAllSettings.sh or /backupsettings.dat on affected Wavlink devices (WN530HG4, WN531G3, WN533A8, WN551K1) should be treated as malicious. ↗
- ·The exported configuration file is OpenSSL-encrypted (salted), but all decryption material is embedded in the device firmware and is publicly available, making the encryption trivially bypassable. ↗
- ·The Nuclei template targets firmware version m30hg4.v5030.191116 as a confirmed affected CPE; other listed models (WN531G3, WN533A8, WN551K1) are also affected but may present the endpoint differently. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WAVLINK - Access Control
nuclei·CVSS 7.5
CVE-2020-10973 [HIGH] WAVLINK - Access Control
WAVLINK - Access Control
Wavlink WN530HG4, WN531G3, WN533A8, and WN551K are susceptible to improper access control via /cgi-bin/ExportAllSettings.sh, where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available.
Template:
id: CVE-2020-10973
info:
name: WAVLINK - Access Control
author: arafatansari
severity: high
description: |
Wavlink WN530HG4, WN531G3, WN533A8, and WN551K are susceptible to improper access control via /cgi-bin/ExportAllSettings.sh, where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker
No writeups or analysis indexed.
https://github.com/Roni-Carta/nyrahttps://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10973https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10973-affected_deviceshttps://github.com/sudo-jtcsec/Nyrahttps://github.com/Roni-Carta/nyrahttps://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10973https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10973-affected_deviceshttps://github.com/sudo-jtcsec/Nyra
2020-05-07
Published