CVE-2025-50756
Published: 14 July 2025
Summary
CVE-2025-50756 is a critical-severity Command Injection (CWE-77) vulnerability in Wavlink Wn535K3 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Wavlink WN535K3 firmware version 20191010 contains a command injection vulnerability in the set_sys_adm function that is triggered through the newpass parameter. The flaw, tracked as CVE-2025-50756 and assigned CWE-77, permits unauthenticated remote attackers to supply a crafted request that results in arbitrary command execution on the device. It carries a CVSS 3.1 base score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An attacker with network access can submit a malicious HTTP request to the affected endpoint and obtain full control over the router, including the ability to read or modify data, alter device configuration, or disrupt availability. The single public reference is a proof-of-concept repository that demonstrates the injection vector but provides no vendor advisory or patch information.
EPSS for the CVE remains flat at 0.0998 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21351
Vulnerability details
Wavlink WN535K3 20191010 was found to contain a command injection vulnerability in the set_sys_adm function via the newpass parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in web function enables exploitation of public-facing application (T1190) for arbitrary remote command execution on network device (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires identification, reporting, and correction of flaws like the command injection in set_sys_adm, directly remediating CVE-2025-50756.
SI-10 enforces validation of untrusted inputs like the newpass parameter to block command injection payloads in crafted requests.
AC-3 enforces approved authorizations, preventing unauthenticated remote access to the vulnerable set_sys_adm function.