Cyber Resilience

CVE-2026-2530

MediumPublic PoC

Published: 16 February 2026

Published
16 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0580 92.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2530 is a medium-severity Injection (CWE-74) vulnerability in Wavlink Wl-Wn579A3 Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2530 is a command injection vulnerability affecting Wavlink WL-WN579A3 router firmware versions up to 20210219. The flaw exists in the AddMac function within the /cgi-bin/wireless.cgi script, where manipulation of the macAddr argument enables arbitrary command execution. It is associated with CWEs-74 and CWE-77 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability is exploitable remotely by low-privileged users, such as authenticated attackers with network access to the device. Exploitation requires no user interaction and results in limited impacts to confidentiality, integrity, and availability, potentially allowing command execution within the context of the web server process.

Advisories from VulDB indicate that the vendor was notified early but provided no response, with no patches or mitigations detailed. A proof-of-concept exploit is publicly available on GitHub, increasing the risk of attacks against unpatched devices.

The exploit's public disclosure heightens the urgency for practitioners to isolate or replace affected Wavlink WL-WN579A3 devices, as no vendor remediation is confirmed.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A weakness has been identified in Wavlink WL-WN579A3 up to 20210219. This affects the function AddMac of the file /cgi-bin/wireless.cgi. This manipulation of the argument macAddr causes command injection. The attack is possible to be carried out remotely. The exploit…

more

has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Command injection in router web CGI enables exploitation of public-facing application (T1190) and arbitrary network device CLI execution (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2527Same product: Wavlink Wl-Wn579A3
CVE-2026-2526Same product: Wavlink Wl-Wn579A3
CVE-2026-2528Same product: Wavlink Wl-Wn579A3
CVE-2026-2529Same product: Wavlink Wl-Wn579A3
CVE-2026-3704Same vendor: Wavlink
CVE-2025-10959Same vendor: Wavlink
CVE-2025-10960Same vendor: Wavlink
CVE-2025-10964Same vendor: Wavlink
CVE-2025-10958Same vendor: Wavlink
CVE-2025-10323Same vendor: Wavlink

Affected Assets

wavlink
wl-wn579a3 firmware
≤ 2021-02-19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents command injection by requiring validation of the macAddr argument in the vulnerable wireless.cgi script.

prevent

SI-2 mandates timely identification, reporting, and correction of the command injection flaw in the router firmware, including patching or replacement.

prevent

AC-6 limits the impact of command execution following exploitation by enforcing least privilege on the web server process context.

References