Cyber Resilience

CVE-2025-10358

MediumPublic PoC

Published: 13 September 2025

Published
13 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0116 79.0th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10358 is a medium-severity Command Injection (CWE-77) vulnerability in Wavlink Wl-Wn578W2 Firmware. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-10 (Information Input Validation).

Deeper analysis

A security vulnerability has been identified in the Wavlink WL-WN578W2 router firmware version 221110. The issue resides in the function sub_404850 within the file /cgi-bin/wireless.cgi, where improper handling of the delete_list argument enables operating system command injection. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 5.5.

An unauthenticated attacker can exploit the vulnerability remotely by sending a crafted HTTP request to the wireless.cgi endpoint. Successful exploitation allows execution of arbitrary operating system commands on the device, potentially leading to limited impacts on confidentiality, integrity, and availability. A proof-of-concept exploit has been published publicly on GitHub.

The vendor was notified prior to disclosure but did not respond or issue a patch. Public references consist of technical write-ups and VulDB entries that document the flaw and reproduction steps, with no mitigation guidance provided. The associated EPSS score remains flat at 0.0116 with no observed increase after publication.

EU & UK References

Vulnerability details

A security vulnerability has been detected in Wavlink WL-WN578W2 221110. This affects the function sub_404850 of the file /cgi-bin/wireless.cgi. The manipulation of the argument delete_list leads to os command injection. The attack can be initiated remotely. The exploit has been…

more

disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Unauthenticated remote OS command injection in public-facing /cgi-bin/wireless.cgi enables exploitation of a public-facing application (T1190), indirect command execution via parameter manipulation (T1202), and execution of Unix shell (T1059.004) or network device CLI-equivalent commands (T1059.008).

CVEs Like This One

CVE-2025-10359Same product: Wavlink Wl-Wn578W2
CVE-2025-10324Same product: Wavlink Wl-Wn578W2
CVE-2025-10323Same product: Wavlink Wl-Wn578W2
CVE-2025-10325Same product: Wavlink Wl-Wn578W2
CVE-2026-8191Same vendor: Wavlink
CVE-2026-8227Same vendor: Wavlink
CVE-2026-8190Same vendor: Wavlink
CVE-2026-8188Same vendor: Wavlink
CVE-2026-8192Same vendor: Wavlink
CVE-2026-8228Same vendor: Wavlink

Affected Assets

wavlink
wl-wn578w2 firmware
m78w2_v221110

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks OS command injection by validating the delete_list argument before it reaches sub_404850 in wireless.cgi.

prevent

Requires identification and authentication before allowing remote access to the unauthenticated /cgi-bin/wireless.cgi endpoint.

prevent

Enforces access-control policy on the DeleteMac functionality so that only authorized subjects can invoke the vulnerable CGI handler.

References