CVE-2026-2527

MediumPublic PoC

Published: 16 February 2026

Published

16 February 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0041 61.5th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in Wavlink WL-WN579A3 up to 20210219. Affected is an unknown function of the file /cgi-bin/login.cgi. Executing a manipulation of the argument key can lead to command injection. The attack may be launched remotely. The exploit has…

been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates the 'key' argument in /cgi-bin/login.cgi to block command injection manipulations.

SI-2 Flaw Remediation good match

prevent

Identifies and remediates the command injection flaw in Wavlink WL-WN579A3 firmware up to 20210219 through timely patching.

SI-4 System Monitoring partial match

detect

Monitors router system activity to detect unauthorized command execution attempts exploiting the login.cgi vulnerability.

Security SummaryAI

CVE-2026-2527, published on 2026-02-16, is a command injection vulnerability (CWE-74, CWE-77) affecting Wavlink WL-WN579A3 router firmware versions up to 20210219. The flaw resides in an unknown function within the /cgi-bin/login.cgi file, where manipulation of the "key" argument enables command injection.

Attackers can exploit this vulnerability remotely over the network with low attack complexity and low privileges required (PR:L), without needing user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

Advisories from VulDB and related disclosures note that the exploit has been publicly available, including at https://github.com/MRAdera/IoT-Vuls/blob/main/wavlink/wn579a3/login.md, and may be utilized by attackers. The vendor was contacted early regarding the issue but provided no response, with no patches or official mitigations documented in the available references.

Details

CWE(s): CWE-74 CWE-77

Affected Products

wavlink

wl-wn579a3 firmware

≤ 2021-02-19

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Command injection in the public-facing web interface (/cgi-bin/login.cgi) of the router enables exploitation of a public-facing application (T1190) and execution of commands on a network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/MRAdera/IoT-Vuls/blob/main/wavlink/wn579a3/login.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.346115
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.346115
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.748074
Third Party Advisory, VDB Entry · cna@vuldb.com