Cyber Resilience

CVE-2025-44868

CriticalPublic PoCRCE

Published: 02 May 2025

Published
02 May 2025
Modified
13 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0435 89.2th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-44868 is a critical-severity Command Injection (CWE-77) vulnerability in Wavlink Wl-Wn530H4 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Wavlink WL-WN530H4 firmware dated 20220801 contains a command injection vulnerability in the ping_test function of adm.cgi that is triggered through the pingIp parameter. The flaw, tracked as CVE-2025-44868 and assigned CWE-77, permits unauthenticated remote attackers to supply crafted input that results in execution of arbitrary operating-system commands. It carries a CVSS 3.1 base score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.

An attacker with network reachability to the device can submit a malicious HTTP request to the administrative CGI endpoint and obtain command execution. Successful exploitation yields full control over the router, enabling actions such as configuration changes, traffic interception, persistence installation, or lateral movement within the attached network.

Public references consist of proof-of-concept repositories that demonstrate the injection vector but contain no vendor advisory, firmware update, or mitigation guidance. The EPSS score rose from lower values to a peak of 0.1000 on 2026-04-16 before receding to the current 0.0435, indicating measurable post-disclosure exploitation interest that later subsided.

EU & UK References

Vulnerability details

Wavlink WL-WN530H4 20220801 was found to contain a command injection vulnerability in the ping_test function of the adm.cgi via the pingIp parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Command injection in web admin CGI (adm.cgi ping_test) enables remote exploitation of public-facing application (T1190) and arbitrary CLI command execution on network device (T1059.008).

Affected Assets

wavlink
wl-wn530h4 firmware
20220801

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References