Skip to main content

Missing Authentication for Critical Function


Severity High
Score 7.5/10


An issue was discovered in Wavlink WN530HG4, Wavlink WN531G3, Wavlink WN533A8, and Wavlink WN551K1 affecting /cgi-bin/ where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available.

  • LOW
  • NONE
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-306 - Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.


Advisory Timeline

  • Published