CVE-2026-2527
Published: 16 February 2026
Summary
CVE-2026-2527 is a medium-severity Injection (CWE-74) vulnerability in Wavlink Wl-Wn579A3 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates the 'key' argument in /cgi-bin/login.cgi to block command injection manipulations.
Identifies and remediates the command injection flaw in Wavlink WL-WN579A3 firmware up to 20210219 through timely patching.
Monitors router system activity to detect unauthorized command execution attempts exploiting the login.cgi vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in the public-facing web interface (/cgi-bin/login.cgi) of the router enables exploitation of a public-facing application (T1190) and execution of commands on a network device CLI (T1059.008).
NVD Description
A vulnerability was determined in Wavlink WL-WN579A3 up to 20210219. Affected is an unknown function of the file /cgi-bin/login.cgi. Executing a manipulation of the argument key can lead to command injection. The attack may be launched remotely. The exploit has…
more
been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-2527, published on 2026-02-16, is a command injection vulnerability (CWE-74, CWE-77) affecting Wavlink WL-WN579A3 router firmware versions up to 20210219. The flaw resides in an unknown function within the /cgi-bin/login.cgi file, where manipulation of the "key" argument enables command injection.
Attackers can exploit this vulnerability remotely over the network with low attack complexity and low privileges required (PR:L), without needing user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Advisories from VulDB and related disclosures note that the exploit has been publicly available, including at https://github.com/MRAdera/IoT-Vuls/blob/main/wavlink/wn579a3/login.md, and may be utilized by attackers. The vendor was contacted early regarding the issue but provided no response, with no patches or official mitigations documented in the available references.
Details
- CWE(s)