Vulnerability Description
Because the WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 and earlier communicates over HTTP and not HTTPS, and because the hashing mechanism does not rely on a server-supplied key, it is possible for an attacker with sufficient network access to capture the hashed password of a logged on user and use it in a classic Pass-the-Hash style attack.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wavlink | Wn531G3 Firmware | <= m31g3.v5030.200325 |
| Wavlink | Wn531G3 | - |
Related Weaknesses (CWE)
References
- https://www.malbytes.net/2022/07/wavlink-quantum-d4g-zero-day-part-01.htmlExploitThird Party Advisory
- https://www.malbytes.net/2022/07/wavlink-quantum-d4g-zero-day-part-01.htmlExploitThird Party Advisory
FAQ
What is CVE-2022-40621?
CVE-2022-40621 is a vulnerability with a CVSS score of 7.5 (HIGH). Because the WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 and earlier communicates over HTTP and not HTTPS, and because the hashing mechanism does not rely on a server-supp...
How severe is CVE-2022-40621?
CVE-2022-40621 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-40621?
Check the references section above for vendor advisories and patch information. Affected products include: Wavlink Wn531G3 Firmware, Wavlink Wn531G3.