CVE-2025-10325
Published: 12 September 2025
Summary
CVE-2025-10325 is a low-severity Injection (CWE-74) vulnerability in Wavlink Wl-Wn578W2 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
A command injection vulnerability exists in the Wavlink WL-WN578W2 router running firmware version 221110. The flaw resides in the sub_401340 and sub_401BA4 functions of /cgi-bin/login.cgi, where unsanitized input supplied to the ipaddr argument is passed to a system command without proper escaping, enabling arbitrary command execution. The issue is tracked under CWE-74 and CWE-77 and carries a CVSS 4.0 score of 2.1.
An authenticated remote attacker with low privileges can trigger the vulnerability by submitting a crafted HTTP request to the login.cgi endpoint. Successful exploitation grants the ability to execute limited commands on the device, affecting confidentiality, integrity, and availability within the local scope while leaving the broader network unaffected. Public exploit code has been released, although the EPSS score has remained flat at 0.0107 with no material increase since disclosure.
The vendor was notified in advance but did not respond, and none of the referenced sources describe patches, workarounds, or official mitigation steps. The stable low EPSS value indicates limited observed exploitation interest following publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29074
Vulnerability details
A vulnerability was identified in Wavlink WL-WN578W2 221110. This impacts the function sub_401340/sub_401BA4 of the file /cgi-bin/login.cgi. Such manipulation of the argument ipaddr leads to command injection. It is possible to launch the attack remotely. The exploit is publicly available…
more
and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing /cgi-bin/login.cgi enables exploitation of public-facing application (T1190) and indirect command execution (T1202) via unsanitized 'ipaddr' parameter, as confirmed by advisories and VulDB mapping.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks command injection by requiring validation and sanitization of the ipaddr argument passed to /cgi-bin/login.cgi before it reaches sub_401340/sub_401BA4.
Limits the impact of the flaw by restricting authenticated low-privilege users from reaching or executing commands through the vulnerable login.cgi functions.
Enforces access-control policy checks on the ipaddr parameter and login.cgi endpoint so that only explicitly permitted operations are allowed, preventing arbitrary command execution.