Cyber Resilience

CVE-2026-2529

MediumPublic PoC

Published: 16 February 2026

Published
16 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0598 92.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2529 is a medium-severity Injection (CWE-74) vulnerability in Wavlink Wl-Wn579A3 Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2529 is a command injection vulnerability (CWE-74, CWE-77) affecting the DeleteMac function in the /cgi-bin/wireless.cgi file of Wavlink WL-WN579A3 firmware versions up to 20210219. Published on 2026-02-16, the flaw enables remote attackers to inject commands by manipulating the delete_list argument.

The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating exploitation over the network with low complexity, requiring low privileges but no user interaction. Attackers with such access can achieve limited impacts on confidentiality, integrity, and availability through injected commands.

Advisories from VulDB and a GitHub repository detail the issue but note that the vendor was contacted early without any response or patch release. No official mitigations are available from the vendor.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in Wavlink WL-WN579A3 up to 20210219. Affected by this issue is the function DeleteMac of the file /cgi-bin/wireless.cgi. The manipulation of the argument delete_list results in command injection. The attack can be executed remotely.…

more

The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection vulnerability in public-facing web CGI interface (/cgi-bin/wireless.cgi) enables exploitation of public-facing applications (T1190) and arbitrary command execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2530Same product: Wavlink Wl-Wn579A3
CVE-2026-2527Same product: Wavlink Wl-Wn579A3
CVE-2026-2526Same product: Wavlink Wl-Wn579A3
CVE-2026-2528Same product: Wavlink Wl-Wn579A3
CVE-2026-3662Same vendor: Wavlink
CVE-2026-3661Same vendor: Wavlink
CVE-2026-2615Same vendor: Wavlink
CVE-2026-7690Same vendor: Wavlink
CVE-2026-3612Same vendor: Wavlink
CVE-2025-10324Same vendor: Wavlink

Affected Assets

wavlink
wl-wn579a3 firmware
≤ 2021-02-19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates command injection by requiring validation of the delete_list argument at the CGI input point to reject malicious payloads.

prevent

Enforces restrictions on the delete_list parameter to only allow valid MAC address formats, blocking command injection attempts.

prevent

Requires timely remediation of the specific command injection flaw in the DeleteMac function of wireless.cgi.

References