Cyber Resilience

CVE-2025-10323

MediumPublic PoC

Published: 12 September 2025

Published
12 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0103 77.7th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10323 is a medium-severity Injection (CWE-74) vulnerability in Wavlink Wl-Wn578W2 Firmware. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A command injection vulnerability exists in the Wavlink WL-WN578W2 device running firmware 221110. The flaw resides in the function sub_409184 within the file /wizard_rep.shtml, where unsanitized input to the sel_EncrypTyp argument is passed to a system command. The issue is tracked as CWE-74 and CWE-77 and carries a CVSS 4.0 score of 5.5.

An unauthenticated remote attacker can supply a crafted sel_EncrypTyp value to the affected endpoint and execute arbitrary commands on the device. Successful exploitation yields limited read, write, and resource-control capabilities on the target without requiring user interaction or credentials. A working proof-of-concept has been published.

The vendor was notified prior to disclosure but did not respond or issue a patch. The current and peak EPSS scores remain at 0.0103, indicating no material increase in observed exploitation activity since publication.

EU & UK References

Vulnerability details

A vulnerability was found in Wavlink WL-WN578W2 221110. The impacted element is the function sub_409184 of the file /wizard_rep.shtml. The manipulation of the argument sel_EncrypTyp results in command injection. The attack may be performed from remote. The exploit has been…

more

made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Unauthenticated remote command injection via web interface (/wizard_rep.shtml, sel_EncrypTyp parameter) on network device enables exploitation of public-facing application (T1190), network device CLI command execution (T1059.008), and indirect command execution (T1202 as cited in advisory).

CVEs Like This One

CVE-2025-10325Same product: Wavlink Wl-Wn578W2
CVE-2025-10324Same product: Wavlink Wl-Wn578W2
CVE-2025-10358Same product: Wavlink Wl-Wn578W2
CVE-2025-10359Same product: Wavlink Wl-Wn578W2
CVE-2025-10959Same vendor: Wavlink
CVE-2025-10964Same vendor: Wavlink
CVE-2025-10958Same vendor: Wavlink
CVE-2025-10960Same vendor: Wavlink
CVE-2026-2530Same vendor: Wavlink
CVE-2026-3704Same vendor: Wavlink

Affected Assets

wavlink
wl-wn578w2 firmware
m78w2_v221110

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the sel_EncrypTyp argument in /wizard_rep.shtml to block command injection payloads.

prevent

Enforces access-control checks on the unauthenticated wizard_rep.shtml endpoint so only authorized subjects can reach sub_409184.

prevent

Boundary-protection rules can restrict remote network access to the router's web management interface, reducing the attack surface for this unauthenticated injection flaw.

References