CVE-2026-2528

CVE-2026-2528 is a command injection vulnerability affecting the Wavlink WL-WN579A3 router firmware up to version 20210219. The issue resides in the Delete_Mac_list function within the /cgi-bin/wireless.cgi script, where the delete_list argument can be manipulated to inject arbitrary commands. This flaw, classified under CWE-74 (Improper Neutralization of Special Elements used in an OS Command) and CWE-77 (Command Injection), carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility and low attack complexity.

An attacker with low privileges, such as an authenticated user on the device, can remotely exploit this vulnerability over the network without user interaction. Successful exploitation allows limited impacts: low-level disclosure of confidential information, modification of data or settings, and denial of service through partial availability disruption, all within the unchanged scope of the affected component.

Advisories from VulDB note that the vendor was contacted early regarding disclosure but provided no response, implying no official patches or mitigations are available. A proof-of-concept exploit is publicly available on GitHub at https://github.com/MRAdera/IoT-Vuls/blob/main/wavlink/wn579a3/Delete_Mac_list.md, increasing the risk of active use.

Security practitioners should isolate or decommission affected Wavlink WL-WN579A3 devices, monitor for anomalous wireless.cgi access, and apply network segmentation to limit low-privilege remote access until firmware updates emerge.