CVE-2026-2530
Published: 16 February 2026
Summary
CVE-2026-2530 is a medium-severity Injection (CWE-74) vulnerability in Wavlink Wl-Wn579A3 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents command injection by requiring validation of the macAddr argument in the vulnerable wireless.cgi script.
SI-2 mandates timely identification, reporting, and correction of the command injection flaw in the router firmware, including patching or replacement.
AC-6 limits the impact of command execution following exploitation by enforcing least privilege on the web server process context.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in router web CGI enables exploitation of public-facing application (T1190) and arbitrary network device CLI execution (T1059.008).
NVD Description
A weakness has been identified in Wavlink WL-WN579A3 up to 20210219. This affects the function AddMac of the file /cgi-bin/wireless.cgi. This manipulation of the argument macAddr causes command injection. The attack is possible to be carried out remotely. The exploit…
more
has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-2530 is a command injection vulnerability affecting Wavlink WL-WN579A3 router firmware versions up to 20210219. The flaw exists in the AddMac function within the /cgi-bin/wireless.cgi script, where manipulation of the macAddr argument enables arbitrary command execution. It is associated with CWEs-74 and CWE-77 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is exploitable remotely by low-privileged users, such as authenticated attackers with network access to the device. Exploitation requires no user interaction and results in limited impacts to confidentiality, integrity, and availability, potentially allowing command execution within the context of the web server process.
Advisories from VulDB indicate that the vendor was notified early but provided no response, with no patches or mitigations detailed. A proof-of-concept exploit is publicly available on GitHub, increasing the risk of attacks against unpatched devices.
The exploit's public disclosure heightens the urgency for practitioners to isolate or replace affected Wavlink WL-WN579A3 devices, as no vendor remediation is confirmed.
Details
- CWE(s)