CVE-2026-4164
Published: 16 March 2026
Summary
CVE-2026-4164 is a critical-severity Injection (CWE-74) vulnerability in Wavlink WL-WN578W2 (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the command injection flaw via the vendor-provided firmware upgrade for the affected Wavlink router.
Directly addresses the improper neutralization of special elements in POST inputs to Delete_Mac_list/SetName/GuestWifi functions in wireless.cgi, preventing arbitrary command execution.
Enforces approved authorizations including authentication for access to the vulnerable unauthenticated POST request handler, blocking remote exploitation without privileges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-4164 enables remote exploitation of a public-facing router web CGI (T1190) via command injection, facilitating arbitrary Unix shell command execution (T1059.004) with web server privileges.
NVD Description
A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is the function Delete_Mac_list/SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Executing a manipulation can lead to command injection. It is possible to launch the attack remotely.…
more
The exploit has been published and may be used. It is recommended to upgrade the affected component.
Deeper analysisAI
CVE-2026-4164 is a command injection vulnerability affecting the Wavlink WL-WN578W2 router running firmware version 221110. The flaw resides in the Delete_Mac_list, SetName, and GuestWifi functions within the /cgi-bin/wireless.cgi file, part of the POST Request Handler component. Due to improper input validation, attackers can manipulate POST requests to inject and execute arbitrary commands on the device.
The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating it requires no privileges, no user interaction, and low complexity for remote network-based exploitation. Successful attacks allow attackers to achieve high impacts on confidentiality, integrity, and availability, potentially leading to full device compromise, such as executing system commands remotely.
Mitigation is addressed through a firmware upgrade available from the vendor at https://dl.wavlink.com/firmware/RD/WINSTAR_WN578W2-A-2026-03-10-94f93d4-WO-mt7628-squashfs-sysupgrade.bin. Additional details on the vulnerability, including published exploits, are documented in advisories from VulDB (https://vuldb.com/?ctiid.351071 and https://vuldb.com/?id.351071) and GitHub repositories (https://github.com/Litengzheng/vul_db/blob/main/WL-WN578W2/vul_1/README.md and https://github.com/Litengzheng/vul_db/blob/main/WL-WN578W2/vul_2/README.md), which recommend upgrading the affected component promptly.
The exploit has been publicly disclosed and is available for use, increasing the risk of active exploitation against unpatched devices. The issue maps to CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-77 (Command Injection).
Details
- CWE(s)