Cyber Resilience

CVE-2025-29534

HighRCE

Published: 28 July 2025

Published
28 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0186 83.5th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29534 is a high-severity OS Command Injection (CWE-78) vulnerability in Wave Dual-Band Wifi (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2025-29534 affects the PowerStick Wave Dual-Band Wifi Extender V1.0 and consists of an authenticated remote code execution flaw. Insufficient input sanitization in the /cgi-bin/cgi_vista.cgi binary allows attacker-controlled values to reach a system-level function call, resulting in OS command injection as classified under CWE-78.

An attacker who possesses valid credentials can send crafted requests over the network to execute arbitrary commands with root privileges. The CVSS 3.1 score of 8.8 reflects the combination of network attack vector, low complexity, and full impact on confidentiality, integrity, and availability without requiring user interaction.

The associated EPSS score has remained flat at 0.0186 with no material rise after disclosure. Public references include the vendor site wave.com and a technical gist describing the issue.

EU & UK References

Vulnerability details

An authenticated remote code execution vulnerability in PowerStick Wave Dual-Band Wifi Extender V1.0 allows an attacker with valid credentials to execute arbitrary commands with root privileges. The issue stems from insufficient sanitization of user-supplied input in the /cgi-bin/cgi_vista.cgi executable, which…

more

is passed to a system-level function call.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Authenticated OS command injection in public-facing CGI binary directly enables remote code execution on network device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78
CVE-2024-50566Shared CWE-78
CVE-2026-23592Shared CWE-78

Affected Assets

Wave
Dual-Band Wifi
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly addresses the insufficient sanitization of user-supplied input in the CGI script by requiring validation at external interfaces, preventing OS command injection.

prevent

SI-2 requires timely remediation of the specific software flaw in /cgi-bin/cgi_vista.cgi that enables authenticated RCE with root privileges.

prevent

AC-6 enforces least privilege, limiting the damage from command injection by preventing the CGI process from executing system calls with unnecessary root privileges.

References