CVE-2020-12124

CRITICAL EXPLOITED NUCLEI

WAVLINK WN530H4 M30H4.V5030.190403 - Unauthenticated Remote Command Execution via live_api.cgi Endpoint

Title source: llm

Exploitation Summary

CVE-2020-12124 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Scorpion-Security-Labs, db44k. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional PoC for CVE-2020-12124, a command injection vulnerability in Wavlink WN530H4 routers. The exploit targets the `/cgi-bin/live_api.cgi` endpoint, injecting arbitrary commands via the `ip` parameter.

Description

A remote command-line injection vulnerability in the /cgi-bin/live_api.cgi endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to execute arbitrary Linux commands as root without authentication.

Exploits (2)

nomisec WORKING POC

by Scorpion-Security-Labs · remote

https://github.com/Scorpion-Security-Labs/CVE-2020-12124

View Code ZIP pw:eip

This is a functional PoC for CVE-2020-12124, a command injection vulnerability in Wavlink WN530H4 routers. The exploit targets the `/cgi-bin/live_api.cgi` endpoint, injecting arbitrary commands via the `ip` parameter.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Wavlink WN530H4 router (and potentially other models)

No auth needed

Prerequisites: Network access to the router's web interface · The vulnerable endpoint must be exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by db44k · remote

https://github.com/db44k/CVE-2020-12124

View Code ZIP pw:eip

This is a functional proof-of-concept exploit for CVE-2020-12124, demonstrating command injection in Wavlink WN530H4 routers via the /cgi-bin/live_api.cgi endpoint. The exploit constructs a malicious URL with a command injection payload and sends it to the target device.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Wavlink WN530H4 router

No auth needed

Prerequisites: Network access to the target router · The /cgi-bin/live_api.cgi endpoint must be accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WAVLINK WN530H4 live_api.cgi - Command Injection

CRITICALby DhiyaneshDK

Shodan: http.html:"wavlink"

FOFA: body="wavlink"

References (2)

Core 2

Core References

Product, Vendor Advisory x_refsource_misc

https://www.wavlink.com/en_us/product/WL-WN530H4.html

Third Party Advisory x_refsource_misc

https://cerne.xyz/bugs/CVE-2020-12124

Scores

CVSS v3 9.8

EPSS 0.7580

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-03-30

CWE

CWE-78

Status published

Products (1)

wavlink/wn530h4_firmware m30h4.v5030.190403

Published Oct 02, 2020

Tracked Since Feb 18, 2026