Cyber Posture

CVE-2026-2529

MediumPublic PoC

Published: 16 February 2026

Published
16 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0041 61.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2529 is a medium-severity Injection (CWE-74) vulnerability in Wavlink Wl-Wn579A3 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates command injection by requiring validation of the delete_list argument at the CGI input point to reject malicious payloads.

SI-9 Information Input Restrictions good match
prevent

Enforces restrictions on the delete_list parameter to only allow valid MAC address formats, blocking command injection attempts.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the specific command injection flaw in the DeleteMac function of wireless.cgi.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection vulnerability in public-facing web CGI interface (/cgi-bin/wireless.cgi) enables exploitation of public-facing applications (T1190) and arbitrary command execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A security flaw has been discovered in Wavlink WL-WN579A3 up to 20210219. Affected by this issue is the function DeleteMac of the file /cgi-bin/wireless.cgi. The manipulation of the argument delete_list results in command injection. The attack can be executed remotely.…

more

The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-2529 is a command injection vulnerability (CWE-74, CWE-77) affecting the DeleteMac function in the /cgi-bin/wireless.cgi file of Wavlink WL-WN579A3 firmware versions up to 20210219. Published on 2026-02-16, the flaw enables remote attackers to inject commands by manipulating the delete_list argument.

The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating exploitation over the network with low complexity, requiring low privileges but no user interaction. Attackers with such access can achieve limited impacts on confidentiality, integrity, and availability through injected commands.

Advisories from VulDB and a GitHub repository detail the issue but note that the vendor was contacted early without any response or patch release. No official mitigations are available from the vendor.

Details

CWE(s)
CWE-74CWE-77

Affected Products

wavlink
wl-wn579a3 firmware
≤ 2021-02-19

CVEs Like This One

CVE-2026-2527Same product: Wavlink Wl-Wn579A3
CVE-2026-2526Same product: Wavlink Wl-Wn579A3
CVE-2026-2530Same product: Wavlink Wl-Wn579A3
CVE-2026-2528Same product: Wavlink Wl-Wn579A3
CVE-2026-2615Same vendor: Wavlink
CVE-2026-3662Same vendor: Wavlink
CVE-2026-3612Same vendor: Wavlink
CVE-2026-3661Same vendor: Wavlink
CVE-2026-7690Same vendor: Wavlink
CVE-2025-10324Same vendor: Wavlink

References