CVE-2022-40621

Summary

Because the WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 and earlier communicates over HTTP and not HTTPS, and because the hashing mechanism does not rely on a server-supplied key, it is possible for an attacker with sufficient network access to capture the hashed password of a logged on user and use it in a classic Pass-the-Hash style attack.

Affected Software

VendorProductVersion RangeStatus
WAVLINKWN531G3M31G3.V5030.200325 <= M31G3.V5030.200325affected

Weaknesses

  • CWE-294: CWE-294 Authentication Bypass by Capture-replay

ADP Enrichment

CVE Program Container

Additional References

References