Auth bypass in Wavlink Jetstream_ac3000
CVE-2020-12266
An issue was discovered where there are multiple externally accessible pages that do not require any sort of authentication, and store system information for internal usage. The devices automatically query these pages to update dashboards…
Vulnerability class: Broken Authentication
EPSS: 0.017 (74.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
Affected products
- Wavlink Jetstream_ac3000
- Wavlink Jetstream_ac3000_firmware
- Wavlink Jetstream_erac3000
- Wavlink Jetstream_erac3000_firmware
- Wavlink Wl-wn530hg4
- Wavlink Wl-wn530hg4_firmware — versions m30hg4.v5030.191116
- Wavlink Wl-wn575a3
- Wavlink Wl-wn575a3_firmware — versions rpt75a3.v4300.180801
- Wavlink Wl-wn579g3
- Wavlink Wl-wn579g3_firmware — versions m79x3.v5030.180719
Weakness classification (CWE)
Public proof-of-concept exploits
References
- cve@mitre.org (x_refsource_MISC, Vendor Advisory)
- cve@mitre.org (Third Party Advisory, x_refsource_MISC)
- cve@mitre.org (x_refsource_MISC, Broken Link)
- cve@mitre.org (Third Party Advisory, x_refsource_MISC, Not Applicable)
- cve@mitre.org (Third Party Advisory, x_refsource_MISC)
Frequently asked questions
- What is CVE-2020-12266?
- CVE-2020-12266 is a high-severity vulnerability in Wavlink Jetstream_ac3000, classified under Missing Authentication for Critical Function. CVSS score: 7.5/10. Published 2020-04-27.
- How severe is CVE-2020-12266?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2020-12266 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.