A critical command injection vulnerability has been identified in multiple Wavlink products, assigned CVE-2025-50756 with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to execute arbitrary commands on the affected device by sending a specially crafted request to change the administrator password. Successful exploitation results in a complete compromise of the router, enabling attackers to steal data, attack other devices on the network, or disrupt internet access.

This vulnerability is a command injection flaw within the web administration interface. The set_sys_adm function, which is responsible for updating the administrator's credentials, fails to properly sanitize user-supplied input for the newpass parameter. An attacker can embed operating system commands within this parameter, which are then executed directly by the system shell with root privileges, leading to a full device takeover.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation allows an attacker to gain complete administrative control over the affected network device. The potential business impact is severe and includes theft of sensitive data transiting the network (e.g., credentials, financial data), using the compromised device as a pivot point to attack internal network assets, installation of persistent backdoors or ransomware, and inclusion of the device in a botnet for use in Distributed Denial-of-Service (DDoS) attacks. The reputational damage and operational disruption from such a compromise would be significant.

Immediate Action: The primary remediation is to apply the security patches provided by the vendor. Organizations must identify all vulnerable Wavlink devices in their environment and update the firmware to the latest version immediately. After patching, review device access logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring on network devices. Specifically, monitor web server logs for POST requests to the device's administration panel, inspecting the newpass parameter for shell metacharacters (e.g., ;, |, &, $(), `). Monitor for unusual outbound traffic from the routers, which could indicate communication with a command-and-control (C2) server.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce risk:

• Disable remote (WAN) management of the router's administration interface.
• Restrict access to the administration interface to a dedicated and trusted management network segment.
• If a Web Application Firewall (WAF) is available, configure rules to inspect and block malicious payloads targeting this vulnerability.

Public Exploit Available: false

Due to the critical severity (CVSS 9.8) of this vulnerability, we strongly recommend that organizations prioritize patching all affected Wavlink devices immediately. The risk of complete network compromise is high. While there is no current evidence of active exploitation, vulnerabilities of this nature are prime targets for weaponization. If patching is delayed for any reason, the compensating controls listed above must be implemented as an urgent interim measure to mitigate risk.