CVE-2025-10324 is a command injection vulnerability identified in the Wavlink WL-WN578W2 wireless router, specifically in firmware version 221110. The vulnerability resides in the firewall.cgi component, particularly within the function sub_401C5C. This function processes several configuration parameters including pingFrmWANFilterEnabled, blockSynFloodEnabled, blockPortScanEnabled, and remoteManagementEnabled. Improper sanitization or validation of these parameters allows an attacker to inject arbitrary commands into the system shell. The vulnerability is remotely exploitable without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:N). This means an attacker can send crafted requests to the device's web interface to execute arbitrary commands with the privileges of the web server process. The vendor, Wavlink, was notified early but has not responded or issued a patch, increasing the risk of exploitation. Although no known exploits are currently reported in the wild, the public disclosure and availability of technical details raise the likelihood of future exploitation. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the significant impact on confidentiality, integrity, and availability, but mitigated somewhat by the limited scope of affected devices and lack of widespread deployment information. The vulnerability can lead to full system compromise, enabling attackers to manipulate network traffic, intercept sensitive data, or use the device as a foothold for further attacks within a network.

For European organizations, this vulnerability poses a serious risk especially for those using Wavlink WL-WN578W2 routers in their network infrastructure. Compromise of these devices can lead to unauthorized command execution, potentially allowing attackers to alter firewall rules, disable security features, or intercept and manipulate network traffic. This can result in data breaches, disruption of network services, and lateral movement within corporate networks. Small and medium enterprises (SMEs) and home office setups that rely on consumer-grade Wavlink routers are particularly vulnerable due to typically weaker network segmentation and monitoring. Additionally, critical infrastructure sectors that use these devices for remote management or perimeter security could face operational disruptions or espionage risks. The lack of vendor response and patch availability increases exposure time, making timely mitigation essential. Given the remote exploitability without authentication, attackers can scan for vulnerable devices across Europe and launch automated attacks, potentially impacting a wide range of organizations.

Immediate mitigation steps include disabling remote management features on the affected devices to reduce the attack surface. Network administrators should restrict access to the router’s web interface to trusted internal IP addresses only, using firewall rules or network segmentation. Monitoring network traffic for unusual activity originating from or targeting the router can help detect exploitation attempts. Since no official patch is available, organizations should consider replacing vulnerable devices with models from vendors that provide timely security updates. If replacement is not immediately feasible, deploying network-level intrusion prevention systems (IPS) with signatures targeting command injection attempts against Wavlink devices can provide additional protection. Regularly auditing router configurations and firmware versions across the network will help identify and remediate vulnerable units. Finally, organizations should maintain up-to-date asset inventories to track affected devices and prepare for future patch deployment once available.