PowerStick Wave CVE-2025-29534
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable CGI requiring valid low-privilege login (PR:L) with low complexity; command injection runs as root, giving full C/I/A impact with no scope change.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
An authenticated remote code execution vulnerability in PowerStick Wave Dual-Band Wifi Extender V1.0 allows an attacker with valid credentials to execute arbitrary commands with root privileges. The issue stems from insufficient sanitization of user-supplied input in the /cgi-bin/cgi_vista.cgi executable, which is passed to a system-level function call.
AnalysisAI
Authenticated OS command injection in the PowerStick Wave Dual-Band Wifi Extender V1.0 lets a user with valid credentials run arbitrary commands as root via the /cgi-bin/cgi_vista.cgi endpoint. Because the device firmware runs its web management logic with root privileges, successful exploitation yields complete takeover of the extender. The single NVD reference is a public researcher gist that very likely contains proof-of-concept detail, though the flaw is not listed in CISA KEV and EPSS risk is modest (0.66%, 47th percentile).
Technical ContextAI
The affected component is the embedded web management interface of a consumer dual-band Wi-Fi range extender, implemented as CGI binaries under /cgi-bin/. The specific executable cgi_vista.cgi takes user-supplied parameters and passes them into a system-level call (e.g. system()/popen()/exec of a shell) without adequate sanitization or escaping. This is a classic CWE-78 (Improper Neutralization of Special Elements used in an OS Command) issue: shell metacharacters such as ;, |, `, and $() in the tainted input are interpreted by the underlying shell rather than treated as literal data. As is typical for SOHO networking firmware, the CGI process executes as root, so any injected command inherits full root privileges on the device.
Affected ProductsAI
The vulnerability affects the PowerStick Wave Dual-Band Wifi Extender at firmware/hardware version V1.0, specifically the web management binary /cgi-bin/cgi_vista.cgi. No CPE string was provided in the input, so the affected configuration is derived solely from the CVE description; other firmware revisions or hardware variants are not confirmed affected or unaffected from the available data. The only reference supplied is a public gist (https://gist.github.com/EmptyButter/19b2c626f4589d1f9d4478632205a9eb); no official vendor advisory URL was provided.
RemediationAI
No vendor-released patch identified at time of analysis, and no fix version is present in the input data, so a firmware upgrade cannot be cited. As compensating controls: change any default/weak administrative credentials immediately since exploitation requires an authenticated session, which raises the barrier when credentials are strong and unique; restrict access to the extender's web management interface (typically HTTP on the LAN IP) to a trusted management VLAN or specific admin host via network segmentation, accepting the trade-off that legitimate remote administration becomes less convenient; disable any remote/WAN-side management if the device exposes it; and monitor the device's LAN for unexpected outbound connections that could indicate post-exploitation. Where feasible, consider retiring or replacing the device given the absence of a confirmed patch. Consult the referenced gist for technical detail, but treat it as researcher material rather than a vendor advisory.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today