CVE-2025-10358
Published: 13 September 2025
Summary
CVE-2025-10358 is a medium-severity Command Injection (CWE-77) vulnerability in Wavlink Wl-Wn578W2 Firmware. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-10 (Information Input Validation).
Deeper analysis
A security vulnerability has been identified in the Wavlink WL-WN578W2 router firmware version 221110. The issue resides in the function sub_404850 within the file /cgi-bin/wireless.cgi, where improper handling of the delete_list argument enables operating system command injection. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 5.5.
An unauthenticated attacker can exploit the vulnerability remotely by sending a crafted HTTP request to the wireless.cgi endpoint. Successful exploitation allows execution of arbitrary operating system commands on the device, potentially leading to limited impacts on confidentiality, integrity, and availability. A proof-of-concept exploit has been published publicly on GitHub.
The vendor was notified prior to disclosure but did not respond or issue a patch. Public references consist of technical write-ups and VulDB entries that document the flaw and reproduction steps, with no mitigation guidance provided. The associated EPSS score remains flat at 0.0116 with no observed increase after publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29091
Vulnerability details
A security vulnerability has been detected in Wavlink WL-WN578W2 221110. This affects the function sub_404850 of the file /cgi-bin/wireless.cgi. The manipulation of the argument delete_list leads to os command injection. The attack can be initiated remotely. The exploit has been…
more
disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection in public-facing /cgi-bin/wireless.cgi enables exploitation of a public-facing application (T1190), indirect command execution via parameter manipulation (T1202), and execution of Unix shell (T1059.004) or network device CLI-equivalent commands (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks OS command injection by validating the delete_list argument before it reaches sub_404850 in wireless.cgi.
Requires identification and authentication before allowing remote access to the unauthenticated /cgi-bin/wireless.cgi endpoint.
Enforces access-control policy on the DeleteMac functionality so that only authorized subjects can invoke the vulnerable CGI handler.