cnvd - cnvd-2025-22318

CNVD-2025-22318

Vulnerability from cnvd - Published: 2025-09-19

Title

Wavlink WL-WN578W2访问控制错误漏洞

Description

Wavlink WL-WN578W2是中国睿因（Wavlink）公司的一款无线中继器。 Wavlink WL-WN578W2 221110版本存在访问控制错误漏洞，该漏洞源于文件/live_online.shtml存在错误访问控制，攻击者可利用该漏洞导致信息泄露。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://github.com/ZZ2266/.github.io/tree/main/WAVLINK/WL-WN578W2/live_online.shtml

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-10321

Impacted products

Name
WAVLINK WL-WN578W2 221110

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-10321",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-10321"
    }
  },
  "description": "Wavlink WL-WN578W2\u662f\u4e2d\u56fd\u777f\u56e0\uff08Wavlink\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u65e0\u7ebf\u4e2d\u7ee7\u5668\u3002\n\nWavlink WL-WN578W2 221110\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u6587\u4ef6/live_online.shtml\u5b58\u5728\u9519\u8bef\u8bbf\u95ee\u63a7\u5236\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4fe1\u606f\u6cc4\u9732\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://github.com/ZZ2266/.github.io/tree/main/WAVLINK/WL-WN578W2/live_online.shtml",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-22318",
  "openTime": "2025-09-19",
  "products": {
    "product": "WAVLINK WL-WN578W2 221110"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-10321",
  "serverity": "\u4e2d",
  "submitTime": "2025-09-16",
  "title": "Wavlink WL-WN578W2\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2025-10321 (GCVE-0-2025-10321)

Vulnerability from cvelistv5 – Published: 2025-09-12 17:32 – Updated: 2025-09-12 18:14

Title

Wavlink WL-WN578W2 live_online.shtml information disclosure

Summary

A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is an unknown function of the file /live_online.shtml. Executing manipulation can lead to information disclosure. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R

5.3 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R

CWE

CWE-200 - Information Disclosure
CWE-284 - Improper Access Controls

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.323747	vdb-entry
	https://vuldb.com/?ctiid.323747	signaturepermissions-required
	https://vuldb.com/?submit.643431	third-party-advisory
	https://github.com/ZZ2266/.github.io/tree/main/WA…	exploit

Impacted products

	Vendor	Product	Version
	Wavlink	WL-WN578W2	Affected: 221110

Credits

n0ps1ed (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-10321",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-12T18:14:43.636375Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-12T18:14:55.276Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "WL-WN578W2",
          "vendor": "Wavlink",
          "versions": [
            {
              "status": "affected",
              "version": "221110"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "n0ps1ed (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is an unknown function of the file /live_online.shtml. Executing manipulation can lead to information disclosure. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        },
        {
          "lang": "de",
          "value": "In Wavlink WL-WN578W2 221110 ist eine Schwachstelle entdeckt worden. Betroffen davon ist eine unbekannte Funktion der Datei /live_online.shtml. Die Manipulation f\u00fchrt zu information disclosure. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "Information Disclosure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Controls",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-12T17:32:05.863Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-323747 | Wavlink WL-WN578W2 live_online.shtml information disclosure",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.323747"
        },
        {
          "name": "VDB-323747 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.323747"
        },
        {
          "name": "Submit #643431 | Wavlink WL-WN578W2 M78W2_V221110 Exposure of Sensitive Information Due to Incompatible Policies",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.643431"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/ZZ2266/.github.io/tree/main/WAVLINK/WL-WN578W2/live_online.shtml"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-09-12T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-09-12T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-09-12T10:27:47.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Wavlink WL-WN578W2 live_online.shtml information disclosure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-10321",
    "datePublished": "2025-09-12T17:32:05.863Z",
    "dateReserved": "2025-09-12T08:22:29.035Z",
    "dateUpdated": "2025-09-12T18:14:55.276Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-22318

CVE-2025-10321 (GCVE-0-2025-10321)

Tags

Sightings

Nomenclature