CVE-2025-10322 MEDIUM

CVE-2025-10322: Wavlink WL-WN578W2 sysinit.html password recovery

Vendor Wavlink
Product WL-WN578W2
Weakness CWE-640 · Weak password recovery
Published September 12, 2025
Last update September 12, 2025
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability has been found in Wavlink WL-WN578W2 221110. The affected element is an unknown function of the file /sysinit.html. The manipulation of the argument newpass/confpass leads to weak password recovery. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

September 12, 2025 CVE published
September 12, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-0777 Weak Password Recovery Mechanism for Forgotten Password in microweber/microweber CVE-2025-0331 YunzMall HTTP POST Request ResetpwdController.php changePwd password recovery CVE-2025-14696 Shenzhen Sixun Software Sixun Shanghui Group Business Management System UpdatePasswordBatch password recovery CVE-2026-12066 PbootCMS Password MemberController.php retrieve password recovery CVE-2025-52560 Kanboard Password Reset Poisoning via Host Header Injection