CVE-2026-2530

MediumPublic PoC

Published: 16 February 2026

Published

16 February 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0038 59.3th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in Wavlink WL-WN579A3 up to 20210219. This affects the function AddMac of the file /cgi-bin/wireless.cgi. This manipulation of the argument macAddr causes command injection. The attack is possible to be carried out remotely. The exploit…

has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents command injection by requiring validation of the macAddr argument in the vulnerable wireless.cgi script.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely identification, reporting, and correction of the command injection flaw in the router firmware, including patching or replacement.

AC-6 Least Privilege partial match

prevent

AC-6 limits the impact of command execution following exploitation by enforcing least privilege on the web server process context.

Security SummaryAI

CVE-2026-2530 is a command injection vulnerability affecting Wavlink WL-WN579A3 router firmware versions up to 20210219. The flaw exists in the AddMac function within the /cgi-bin/wireless.cgi script, where manipulation of the macAddr argument enables arbitrary command execution. It is associated with CWEs-74 and CWE-77 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability is exploitable remotely by low-privileged users, such as authenticated attackers with network access to the device. Exploitation requires no user interaction and results in limited impacts to confidentiality, integrity, and availability, potentially allowing command execution within the context of the web server process.

Advisories from VulDB indicate that the vendor was notified early but provided no response, with no patches or mitigations detailed. A proof-of-concept exploit is publicly available on GitHub, increasing the risk of attacks against unpatched devices.

The exploit's public disclosure heightens the urgency for practitioners to isolate or replace affected Wavlink WL-WN579A3 devices, as no vendor remediation is confirmed.

Details

CWE(s): CWE-74 CWE-77

Affected Products

wavlink

wl-wn579a3 firmware

≤ 2021-02-19

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Command injection in router web CGI enables exploitation of public-facing application (T1190) and arbitrary network device CLI execution (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/MRAdera/IoT-Vuls/blob/main/wavlink/wn579a3/AddMac.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.346118
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.346118
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.748077
Third Party Advisory, VDB Entry · cna@vuldb.com