Cyber Posture

CVE-2025-50756

CriticalPublic PoCRCE

Published: 14 July 2025

Published
14 July 2025
Modified
03 October 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0998 93.1th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50756 is a critical-severity Command Injection (CWE-77) vulnerability in Wavlink Wn535K3 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires identification, reporting, and correction of flaws like the command injection in set_sys_adm, directly remediating CVE-2025-50756.

SI-10 Information Input Validation good match
prevent

SI-10 enforces validation of untrusted inputs like the newpass parameter to block command injection payloads in crafted requests.

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved authorizations, preventing unauthenticated remote access to the vulnerable set_sys_adm function.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

Command injection in web function enables exploitation of public-facing application (T1190) for arbitrary remote command execution on network device (T1059.008).

NVD Description

Wavlink WN535K3 20191010 was found to contain a command injection vulnerability in the set_sys_adm function via the newpass parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Deeper analysisAI

CVE-2025-50756 is a command injection vulnerability (CWE-77) in the Wavlink WN535K3 router firmware version 20191010. The flaw resides in the set_sys_adm function, exploitable through the newpass parameter, which allows attackers to execute arbitrary commands by sending a crafted request. Published on 2025-07-14, it carries a CVSS v3.1 base score of 9.8, reflecting its critical severity due to high impacts on confidentiality, integrity, and availability.

Remote attackers require only network access to exploit this vulnerability, with no authentication privileges, low complexity, or user interaction needed (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation grants arbitrary command execution on the device, enabling full control such as data exfiltration, persistent access, or further network pivoting.

Further details on the vulnerability, including a proof-of-concept, are available in the GitHub repository at https://github.com/Summermu/VulnForIoT/tree/main/Wavlink_WN535K3/set_sys_adm_newpass/readme.md. No vendor patches or specific mitigation guidance are detailed in the provided information.

Details

CWE(s)
CWE-77

Affected Products

wavlink
wn535k3 firmware
2019-10-10

CVEs Like This One

CVE-2026-2527Same vendor: Wavlink
CVE-2026-3704Same vendor: Wavlink
CVE-2026-2526Same vendor: Wavlink
CVE-2026-2530Same vendor: Wavlink
CVE-2025-10959Same vendor: Wavlink
CVE-2026-2528Same vendor: Wavlink
CVE-2025-10323Same vendor: Wavlink
CVE-2025-10958Same vendor: Wavlink
CVE-2025-10964Same vendor: Wavlink
CVE-2025-10960Same vendor: Wavlink

References