CVE-2026-2528

MediumPublic PoC

Published: 16 February 2026

Published

16 February 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0041 61.6th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2528 is a medium-severity Injection (CWE-74) vulnerability in Wavlink Wl-Wn579A3 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Mandates information input validation mechanisms at CGI entry points to neutralize special elements in the delete_list argument, directly preventing command injection.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, prioritization, and correction of flaws like this command injection vulnerability in the router firmware.

SI-4 System Monitoring partial match

detect

Enables monitoring of system activity to detect anomalous access or exploitation attempts against the vulnerable wireless.cgi endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Command injection in router web CGI script directly enables exploitation of public-facing application (T1190), remote services (T1210), and arbitrary command execution on network device (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability was identified in Wavlink WL-WN579A3 up to 20210219. Affected by this vulnerability is the function Delete_Mac_list of the file /cgi-bin/wireless.cgi. The manipulation of the argument delete_list leads to command injection. Remote exploitation of the attack is possible. The…

exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-2528 is a command injection vulnerability affecting the Wavlink WL-WN579A3 router firmware up to version 20210219. The issue resides in the Delete_Mac_list function within the /cgi-bin/wireless.cgi script, where the delete_list argument can be manipulated to inject arbitrary commands. This flaw, classified under CWE-74 (Improper Neutralization of Special Elements used in an OS Command) and CWE-77 (Command Injection), carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility and low attack complexity.

An attacker with low privileges, such as an authenticated user on the device, can remotely exploit this vulnerability over the network without user interaction. Successful exploitation allows limited impacts: low-level disclosure of confidential information, modification of data or settings, and denial of service through partial availability disruption, all within the unchanged scope of the affected component.

Advisories from VulDB note that the vendor was contacted early regarding disclosure but provided no response, implying no official patches or mitigations are available. A proof-of-concept exploit is publicly available on GitHub at https://github.com/MRAdera/IoT-Vuls/blob/main/wavlink/wn579a3/Delete_Mac_list.md, increasing the risk of active use.

Security practitioners should isolate or decommission affected Wavlink WL-WN579A3 devices, monitor for anomalous wireless.cgi access, and apply network segmentation to limit low-privilege remote access until firmware updates emerge.

Details

CWE(s): CWE-74 CWE-77

Affected Products

wavlink

wl-wn579a3 firmware

≤ 2021-02-19

CVEs Like This One

CVE-2026-2527Same product: Wavlink Wl-Wn579A3

CVE-2026-2526Same product: Wavlink Wl-Wn579A3

CVE-2026-2530Same product: Wavlink Wl-Wn579A3

CVE-2026-2529Same product: Wavlink Wl-Wn579A3

CVE-2026-3704Same vendor: Wavlink

CVE-2025-10960Same vendor: Wavlink

CVE-2025-10323Same vendor: Wavlink

CVE-2025-10959Same vendor: Wavlink

CVE-2025-10958Same vendor: Wavlink

CVE-2025-10964Same vendor: Wavlink

References

https://github.com/MRAdera/IoT-Vuls/blob/main/wavlink/wn579a3/Delete_Mac_list.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.346116
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.346116
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.748075
Third Party Advisory, VDB Entry · cna@vuldb.com