Cyber Resilience

CVE-2025-50756

CriticalPublic PoCRCE

Published: 14 July 2025

Published
14 July 2025
Modified
03 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0998 93.2th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50756 is a critical-severity Command Injection (CWE-77) vulnerability in Wavlink Wn535K3 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Wavlink WN535K3 firmware version 20191010 contains a command injection vulnerability in the set_sys_adm function that is triggered through the newpass parameter. The flaw, tracked as CVE-2025-50756 and assigned CWE-77, permits unauthenticated remote attackers to supply a crafted request that results in arbitrary command execution on the device. It carries a CVSS 3.1 base score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.

An attacker with network access can submit a malicious HTTP request to the affected endpoint and obtain full control over the router, including the ability to read or modify data, alter device configuration, or disrupt availability. The single public reference is a proof-of-concept repository that demonstrates the injection vector but provides no vendor advisory or patch information.

EPSS for the CVE remains flat at 0.0998 with no material increase since disclosure.

EU & UK References

Vulnerability details

Wavlink WN535K3 20191010 was found to contain a command injection vulnerability in the set_sys_adm function via the newpass parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Command injection in web function enables exploitation of public-facing application (T1190) for arbitrary remote command execution on network device (T1059.008).

CVEs Like This One

CVE-2024-39762Same vendor: Wavlink
CVE-2026-2527Same vendor: Wavlink
CVE-2024-34166Same vendor: Wavlink
CVE-2026-2526Same vendor: Wavlink
CVE-2026-2530Same vendor: Wavlink
CVE-2024-39360Same vendor: Wavlink
CVE-2026-3704Same vendor: Wavlink
CVE-2024-39759Same vendor: Wavlink
CVE-2024-39783Same vendor: Wavlink
CVE-2024-39781Same vendor: Wavlink

Affected Assets

wavlink
wn535k3 firmware
2019-10-10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires identification, reporting, and correction of flaws like the command injection in set_sys_adm, directly remediating CVE-2025-50756.

prevent

SI-10 enforces validation of untrusted inputs like the newpass parameter to block command injection payloads in crafted requests.

prevent

AC-3 enforces approved authorizations, preventing unauthenticated remote access to the vulnerable set_sys_adm function.

References