Cyber Resilience

CVE-2025-10325

LowPublic PoC

Published: 12 September 2025

Published
12 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0107 78.1th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10325 is a low-severity Injection (CWE-74) vulnerability in Wavlink Wl-Wn578W2 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

A command injection vulnerability exists in the Wavlink WL-WN578W2 router running firmware version 221110. The flaw resides in the sub_401340 and sub_401BA4 functions of /cgi-bin/login.cgi, where unsanitized input supplied to the ipaddr argument is passed to a system command without proper escaping, enabling arbitrary command execution. The issue is tracked under CWE-74 and CWE-77 and carries a CVSS 4.0 score of 2.1.

An authenticated remote attacker with low privileges can trigger the vulnerability by submitting a crafted HTTP request to the login.cgi endpoint. Successful exploitation grants the ability to execute limited commands on the device, affecting confidentiality, integrity, and availability within the local scope while leaving the broader network unaffected. Public exploit code has been released, although the EPSS score has remained flat at 0.0107 with no material increase since disclosure.

The vendor was notified in advance but did not respond, and none of the referenced sources describe patches, workarounds, or official mitigation steps. The stable low EPSS value indicates limited observed exploitation interest following publication.

EU & UK References

Vulnerability details

A vulnerability was identified in Wavlink WL-WN578W2 221110. This impacts the function sub_401340/sub_401BA4 of the file /cgi-bin/login.cgi. Such manipulation of the argument ipaddr leads to command injection. It is possible to launch the attack remotely. The exploit is publicly available…

more

and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Command injection in public-facing /cgi-bin/login.cgi enables exploitation of public-facing application (T1190) and indirect command execution (T1202) via unsanitized 'ipaddr' parameter, as confirmed by advisories and VulDB mapping.

CVEs Like This One

CVE-2025-10324Same product: Wavlink Wl-Wn578W2
CVE-2025-10323Same product: Wavlink Wl-Wn578W2
CVE-2025-10359Same product: Wavlink Wl-Wn578W2
CVE-2025-10358Same product: Wavlink Wl-Wn578W2
CVE-2025-9149Same vendor: Wavlink
CVE-2025-10959Same vendor: Wavlink
CVE-2025-10964Same vendor: Wavlink
CVE-2025-10958Same vendor: Wavlink
CVE-2025-10960Same vendor: Wavlink
CVE-2025-10963Same vendor: Wavlink

Affected Assets

wavlink
wl-wn578w2 firmware
m78w2_v221110

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks command injection by requiring validation and sanitization of the ipaddr argument passed to /cgi-bin/login.cgi before it reaches sub_401340/sub_401BA4.

prevent

Limits the impact of the flaw by restricting authenticated low-privilege users from reaching or executing commands through the vulnerable login.cgi functions.

prevent

Enforces access-control policy checks on the ipaddr parameter and login.cgi endpoint so that only explicitly permitted operations are allowed, preventing arbitrary command execution.

References