Cyber Resilience

CVE-2025-10359

MediumPublic PoC

Published: 13 September 2025

Published
13 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0116 79.0th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10359 is a medium-severity Command Injection (CWE-77) vulnerability in Wavlink Wl-Wn578W2 Firmware. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

A vulnerability has been identified in the Wavlink WL-WN578W2 router running firmware version 221110. The issue resides in the sub_404DBC function within /cgi-bin/wireless.cgi, where improper handling of the macAddr argument permits OS command injection, corresponding to CWE-77 and CWE-78. The flaw is remotely triggerable and carries a CVSS 4.0 score of 5.5.

An unauthenticated attacker can send crafted requests to the wireless.cgi endpoint to inject and execute arbitrary operating system commands on the device. Public proof-of-concept code demonstrating the injection via the add_mac endpoint has been released, enabling remote attackers to achieve limited control over device behavior without requiring user interaction.

The vendor was notified prior to disclosure but provided no response or patch. The associated EPSS score remains flat at 0.0116 with no observed increase since publication, indicating limited exploitation interest to date despite the availability of working exploit code.

EU & UK References

Vulnerability details

A vulnerability was detected in Wavlink WL-WN578W2 221110. This impacts the function sub_404DBC of the file /cgi-bin/wireless.cgi. The manipulation of the argument macAddr results in os command injection. The attack can be launched remotely. The exploit is now public and…

more

may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Unauthenticated OS command injection in public-facing web CGI (/cgi-bin/wireless.cgi) enables exploitation of public-facing application (T1190), exploitation of remote services (T1210), and indirect command execution (T1202) via manipulated macAddr parameter.

CVEs Like This One

CVE-2025-10358Same product: Wavlink Wl-Wn578W2
CVE-2025-10325Same product: Wavlink Wl-Wn578W2
CVE-2025-10324Same product: Wavlink Wl-Wn578W2
CVE-2025-10323Same product: Wavlink Wl-Wn578W2
CVE-2026-8191Same vendor: Wavlink
CVE-2026-8227Same vendor: Wavlink
CVE-2026-8190Same vendor: Wavlink
CVE-2026-8188Same vendor: Wavlink
CVE-2026-8192Same vendor: Wavlink
CVE-2026-8228Same vendor: Wavlink

Affected Assets

wavlink
wl-wn578w2 firmware
m78w2_v221110

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the macAddr argument in wireless.cgi to block OS command injection (CWE-77/78).

prevent

Boundary protection can restrict remote unauthenticated access to /cgi-bin/wireless.cgi, reducing the attack surface of the exposed injection flaw.

prevent

Enforces access-control checks before allowing execution of sub_404DBC, preventing unauthenticated remote invocation of the vulnerable function.

References