Cyber Resilience

CVE-2026-5004

HighPublic PoC

Published: 28 March 2026

Published
28 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0069 47.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5004 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Wavlink Wl-Wn579X3-C Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-5004 is a stack-based buffer overflow vulnerability in the Wavlink WL-WN579X3-C router firmware version 231124. The issue resides in the UPNP Handler component, specifically within the sub_4019FC function of the /cgi-bin/firewall.cgi script. By manipulating the UpnpEnabled argument, an attacker can trigger the overflow. The vulnerability is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write), and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited remotely by an attacker who has low privileges (such as an authenticated user on the device). No user interaction is required, and the attack complexity is low, enabling network-based exploitation. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially leading to arbitrary code execution, data theft, or denial of service on the affected router.

Advisories from VulDB detail the vulnerability (vuln/353891) and its CTI context, while a GitHub repository (Litengzheng/vul_db) publicly discloses an exploit for the WL-WN579X3-C device. No patches or vendor responses are available, as the vendor was contacted early but did not reply. Security practitioners should isolate or replace affected devices.

The exploit has been publicly disclosed and may be utilized in the wild, with the CVE published on 2026-03-28. No further real-world exploitation status is confirmed in available data.

EU & UK References

Vulnerability details

A vulnerability was determined in Wavlink WL-WN579X3-C 231124. This impacts the function sub_4019FC of the file /cgi-bin/firewall.cgi of the component UPNP Handler. Executing a manipulation of the argument UpnpEnabled can lead to stack-based buffer overflow. It is possible to launch…

more

the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Stack-based buffer overflow in public router web CGI (firewall.cgi) allows remote authenticated RCE; directly maps to exploiting public-facing app and priv escalation to arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3715Same product: Wavlink Wl-Wn579X3-C
CVE-2026-4861Same vendor: Wavlink
CVE-2026-2567Same vendor: Wavlink
CVE-2026-3613Same vendor: Wavlink
CVE-2026-3703Same vendor: Wavlink
CVE-2024-37357Same vendor: Wavlink
CVE-2024-39802Same vendor: Wavlink
CVE-2024-39288Same vendor: Wavlink
CVE-2024-39359Same vendor: Wavlink
CVE-2024-36258Same vendor: Wavlink

Affected Assets

wavlink
wl-wn579x3-c firmware
231124

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates inputs like the UpnpEnabled argument in the CGI script to prevent stack-based buffer overflows from improper restriction of memory operations.

prevent

Implements memory safeguards such as stack canaries, ASLR, and non-executable stacks to mitigate exploitation of the stack-based buffer overflow vulnerability.

preventdetect

Mandates identification, reporting, and remediation of flaws like CVE-2026-5004 through vulnerability monitoring, patching, or device replacement to address the unpatched buffer overflow.

References