Cyber Resilience

CVE-2025-10324

MediumPublic PoC

Published: 12 September 2025

Published
12 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0103 77.7th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10324 is a medium-severity Injection (CWE-74) vulnerability in Wavlink Wl-Wn578W2 Firmware. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A command injection vulnerability tracked as CVE-2025-10324 affects the Wavlink WL-WN578W2 router running firmware 221110. The flaw exists in the sub_401C5C function of firewall.cgi, where unsanitized values supplied to the pingFrmWANFilterEnabled, blockSynFloodEnabled, blockPortScanEnabled, and remoteManagementEnabled parameters are passed to system commands.

An unauthenticated attacker can exploit the issue remotely by submitting crafted HTTP requests to the web interface, resulting in arbitrary command execution on the device. The vulnerability carries a CVSS 4.0 score of 5.5 and is accompanied by public proof-of-concept material that demonstrates the injection.

The vendor was notified prior to disclosure but has not responded or released mitigations. Public references consist of technical write-ups and vulnerability database entries that reproduce the flaw; no official patches or workarounds are documented. The associated EPSS score has remained flat at 0.0103 with no material rise since publication.

EU & UK References

Vulnerability details

A vulnerability was determined in Wavlink WL-WN578W2 221110. This affects the function sub_401C5C of the file firewall.cgi. This manipulation of the argument pingFrmWANFilterEnabled/blockSynFloodEnabled/blockPortScanEnabled/remoteManagementEnabled causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed…

more

and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Unauthenticated remote command injection in firewall.cgi enables exploitation of public-facing web application (T1190), Unix shell command execution (T1059.004), and indirect command execution (T1202) as mapped by VulDB.

CVEs Like This One

CVE-2025-10325Same product: Wavlink Wl-Wn578W2
CVE-2025-10323Same product: Wavlink Wl-Wn578W2
CVE-2025-10358Same product: Wavlink Wl-Wn578W2
CVE-2025-10359Same product: Wavlink Wl-Wn578W2
CVE-2026-3661Same vendor: Wavlink
CVE-2026-2615Same vendor: Wavlink
CVE-2026-7690Same vendor: Wavlink
CVE-2026-2529Same vendor: Wavlink
CVE-2025-9149Same vendor: Wavlink
CVE-2026-3662Same vendor: Wavlink

Affected Assets

wavlink
wl-wn578w2 firmware
m78w2_v221110

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted inputs to firewall.cgi parameters, blocking the command injection via pingFrmWANFilterEnabled and similar arguments.

prevent

Enforces access control decisions on the unauthenticated firewall.cgi functions, preventing remote attackers from reaching or manipulating the vulnerable sub_401C5C code path.

prevent

Restricts external network access to the router's management interfaces, limiting remote exploitation of the publicly disclosed command-injection flaw.

References