CVE-2022-40622

The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 uses IP addresses to hold sessions and does not not use session tokens. Therefore, if an attacker changes their IP address to match the logged-in administrator's, or is behind the same NAT as the logged in administrator, session takeover is possible.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://youtu.be/cSileV8YbsQ?t=655	Exploit Third Party Advisory
https://youtu.be/cSileV8YbsQ?t=655	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:wavlink:wn531g3_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:wavlink:wn531g3:-:*:*:*:*:*:*:*

History

21 Nov 2024, 07:21

Type	Values Removed	Values Added
References	~~() https://youtu.be/cSileV8YbsQ?t=655 - Exploit, Third Party Advisory~~	() https://youtu.be/cSileV8YbsQ?t=655 - Exploit, Third Party Advisory

Information

Published : 2022-09-13 21:15

Updated : 2024-11-21 07:21

NVD link : CVE-2022-40622

Mitre link : CVE-2022-40622

CVE.ORG link : CVE-2022-40622

JSON object : View

Products Affected

wavlink

wn531g3_firmware
wn531g3

CWE

CWE-304

Missing Critical Step in Authentication

CWE-287

Improper Authentication

{"id": "CVE-2022-40622", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-09-13T21:15:10.197", "references": [{"url": "https://youtu.be/cSileV8YbsQ?t=655", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@rapid7.com"}, {"url": "https://youtu.be/cSileV8YbsQ?t=655", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve@rapid7.com", "description": [{"lang": "en", "value": "CWE-304"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 uses IP addresses to hold sessions and does not not use session tokens. Therefore, if an attacker changes their IP address to match the logged-in administrator's, or is behind the same NAT as the logged in administrator, session takeover is possible."}, {"lang": "es", "value": "El WAVLINK Quantum D4G (WN531G3) ejecutando la versi\u00f3n de firmware M31G3.V5030.200325, usa direcciones IP para mantener las sesiones y no usa tokens de sesi\u00f3n. Por lo tanto, si un atacante cambia su direcci\u00f3n IP para que coincida con la del administrador que ha iniciado la sesi\u00f3n, o est\u00e1 detr\u00e1s del mismo NAT que el administrador que ha iniciado la sesi\u00f3n, es posible una toma de control de sesi\u00f3n"}], "lastModified": "2024-11-21T07:21:43.800", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:wavlink:wn531g3_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8E4F42B-0D2E-4D51-A8C7-37C5D95ECB2C", "versionEndIncluding": "m31g3.v5030.200325"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:wavlink:wn531g3:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3AE2AAA4-71D2-4B70-81FB-836F1A419DBC"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@rapid7.com"}