Wavlink Command Injection (CVE-2022–23900)

Your Router Is My Router

5 min readApr 6, 2022



The Wavlink WL-WN531P3 router exposes an API endpoint susceptible to command injection. This API endpoint is reachable without an authentication header, meaning the vulnerability can be exploited by an unauthenticated attacker. Furthermore, the router has no CSRF protection, thus RCE can be achieved without connecting to the local network.

Vulnerability Description and Discovery:

The router hosts an API that is used to accept requests made from within the Admin portal. One thing a user can do from within this portal is send a ping command. An example has been included below:

Because ping is a well-known bash command, we may immediately begin to theorize about the possibility of command injection.

Command Injection Explanation:

For those unfamiliar with command injection, here is a quick rundown:

Let’s take the above ping functionality and walk through what could be happening between the web portal and the router.

  1. You as the user input the IP you wish to ping.
  2. The Admin portal sends a request to the router with the IP you specified.
  3. The router’s API endpoint handles the request with something like the following (yes this example has a BOF, it’s strictly an example):
char command[50];
strcpy(command, "ping ")
strcat(command, user_specified_ip)

In the above code, we first add “ping “ to the command buffer. Then we add what is stored in user_specified_ip to our buffer, imagining this variable is storing the IP we specified in the Admin portal. Finally, we run system(command) which will execute our shell command (ping <ip>) on the underlying host operating system.

Abusing the system command:

You can run two shell commands in one line if you delaminate them with a ; . So if you open a command prompt and run whoami; touch test.txt , the command will first output the result whoami and then it will create the file test.txt. With this knowledge, we can exploit the ping example…




Average hacker and chronic side-project abandoner.