Cyber Posture

CVE-2026-4164

Critical

Published: 16 March 2026

Published
16 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0023 45.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is the function Delete_Mac_list/SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Executing a manipulation can lead to command injection. It is possible to launch the attack remotely.…

more

The exploit has been published and may be used. It is recommended to upgrade the affected component.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of the command injection flaw via the vendor-provided firmware upgrade for the affected Wavlink router.

SI-10 Information Input Validation good match
prevent

Directly addresses the improper neutralization of special elements in POST inputs to Delete_Mac_list/SetName/GuestWifi functions in wireless.cgi, preventing arbitrary command execution.

AC-3 Access Enforcement partial match
prevent

Enforces approved authorizations including authentication for access to the vulnerable unauthenticated POST request handler, blocking remote exploitation without privileges.

Security SummaryAI

CVE-2026-4164 is a command injection vulnerability affecting the Wavlink WL-WN578W2 router running firmware version 221110. The flaw resides in the Delete_Mac_list, SetName, and GuestWifi functions within the /cgi-bin/wireless.cgi file, part of the POST Request Handler component. Due to improper input validation, attackers can manipulate POST requests to inject and execute arbitrary commands on the device.

The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating it requires no privileges, no user interaction, and low complexity for remote network-based exploitation. Successful attacks allow attackers to achieve high impacts on confidentiality, integrity, and availability, potentially leading to full device compromise, such as executing system commands remotely.

Mitigation is addressed through a firmware upgrade available from the vendor at https://dl.wavlink.com/firmware/RD/WINSTAR_WN578W2-A-2026-03-10-94f93d4-WO-mt7628-squashfs-sysupgrade.bin. Additional details on the vulnerability, including published exploits, are documented in advisories from VulDB (https://vuldb.com/?ctiid.351071 and https://vuldb.com/?id.351071) and GitHub repositories (https://github.com/Litengzheng/vul_db/blob/main/WL-WN578W2/vul_1/README.md and https://github.com/Litengzheng/vul_db/blob/main/WL-WN578W2/vul_2/README.md), which recommend upgrading the affected component promptly.

The exploit has been publicly disclosed and is available for use, increasing the risk of active exploitation against unpatched devices. The issue maps to CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-77 (Command Injection).

Details

CWE(s)
CWE-74CWE-77

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

CVE-2026-4164 enables remote exploitation of a public-facing router web CGI (T1190) via command injection, facilitating arbitrary Unix shell command execution (T1059.004) with web server privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References