EUVD-2025-21351CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Wavlink WN535K3 20191010 was found to contain a command injection vulnerability in the set_sys_adm function via the newpass parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
Analysis
CVE-2025-50756 is a critical unauthenticated command injection vulnerability in the Wavlink WN535K3 router (firmware version 20191010) affecting the set_sys_adm function's newpass parameter. An unauthenticated remote attacker can execute arbitrary system commands with root privileges by sending a crafted request, enabling complete device compromise including data theft, malware installation, and lateral network movement. The CVSS 9.8 score reflects maximum severity; KEV status and active exploitation likelihood are elevated given the high exploitability characteristics (network-accessible, no authentication required, low attack complexity).
Technical Context
The vulnerability stems from improper input validation and sanitization in the set_sys_adm administrative function, classified as CWE-77 (Improper Neutralization of Special Elements used in a Command). The Wavlink WN535K3 is a consumer-grade WiFi router running embedded Linux firmware. The newpass parameter, intended for password updates, fails to properly escape or filter shell metacharacters and command separators (e.g., semicolons, pipes, command substitution operators), allowing OS command injection. The firmware version 20191010 indicates this is legacy hardware; affected CPE would be: cpe:2.3:o:wavlink:wn535k3_firmware:20191010:*:*:*:*:*:*:*. The vulnerability likely exists in the HTTP/HTTPS web interface or UPnP service that handles administrative requests, common attack surfaces for router exploitation.
Affected Products
Wavlink WN535K3 WiFi Router, firmware version 20191010 and potentially earlier/later versions in the same release branch. CPE: cpe:2.3:o:wavlink:wn535k3_firmware:20191010:*:*:*:*:*:*:*. Wavlink as a vendor primarily serves budget consumer and small business markets; devices are distributed globally through e-commerce channels. No vendor advisory links provided in the source data; organizations should contact Wavlink support (support.wavlink.com) or check their security advisories page for official guidance. All instances of this hardware model running vulnerable firmware versions should be inventoried, particularly in organizational networks, IoT deployments, and edge locations.
Remediation
Immediate Actions: (1) Check Wavlink's official firmware repository and security advisory page for patched firmware versions newer than 20191010—download and apply via the device's web interface (System Settings > Firmware Update) or via TFTP if web interface is compromised; (2) If no patch is available, implement network-level mitigations: restrict HTTP/HTTPS access to the router's management interface via firewall rules (limit to trusted administrative subnets only), disable remote management features in router settings, and segment the router's management network from general user traffic; (3) Change default credentials immediately if not already done; (4) Isolate affected devices to air-gapped or highly restricted networks if patching is unavailable; (5) Long-term: replace end-of-life hardware with modern routers receiving active firmware updates (Wavlink models post-2020+ with active vendor support). Contact Wavlink technical support at support.wavlink.com or [email protected] for patch availability confirmation and extended support options.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today