CVE-2025-29534
Published: 28 July 2025
Summary
CVE-2025-29534 is a high-severity OS Command Injection (CWE-78) vulnerability in Wave Dual-Band Wifi (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2025-29534 affects the PowerStick Wave Dual-Band Wifi Extender V1.0 and consists of an authenticated remote code execution flaw. Insufficient input sanitization in the /cgi-bin/cgi_vista.cgi binary allows attacker-controlled values to reach a system-level function call, resulting in OS command injection as classified under CWE-78.
An attacker who possesses valid credentials can send crafted requests over the network to execute arbitrary commands with root privileges. The CVSS 3.1 score of 8.8 reflects the combination of network attack vector, low complexity, and full impact on confidentiality, integrity, and availability without requiring user interaction.
The associated EPSS score has remained flat at 0.0186 with no material rise after disclosure. Public references include the vendor site wave.com and a technical gist describing the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22948
Vulnerability details
An authenticated remote code execution vulnerability in PowerStick Wave Dual-Band Wifi Extender V1.0 allows an attacker with valid credentials to execute arbitrary commands with root privileges. The issue stems from insufficient sanitization of user-supplied input in the /cgi-bin/cgi_vista.cgi executable, which…
more
is passed to a system-level function call.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated OS command injection in public-facing CGI binary directly enables remote code execution on network device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly addresses the insufficient sanitization of user-supplied input in the CGI script by requiring validation at external interfaces, preventing OS command injection.
SI-2 requires timely remediation of the specific software flaw in /cgi-bin/cgi_vista.cgi that enables authenticated RCE with root privileges.
AC-6 enforces least privilege, limiting the damage from command injection by preventing the CGI process from executing system calls with unnecessary root privileges.