CVE-2026-5004
Published: 28 March 2026
Summary
CVE-2026-5004 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Wavlink Wl-Wn579X3-C Firmware. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-5004 is a stack-based buffer overflow vulnerability in the Wavlink WL-WN579X3-C router firmware version 231124. The issue resides in the UPNP Handler component, specifically within the sub_4019FC function of the /cgi-bin/firewall.cgi script. By manipulating the UpnpEnabled argument, an attacker can trigger the overflow. The vulnerability is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write), and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited remotely by an attacker who has low privileges (such as an authenticated user on the device). No user interaction is required, and the attack complexity is low, enabling network-based exploitation. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially leading to arbitrary code execution, data theft, or denial of service on the affected router.
Advisories from VulDB detail the vulnerability (vuln/353891) and its CTI context, while a GitHub repository (Litengzheng/vul_db) publicly discloses an exploit for the WL-WN579X3-C device. No patches or vendor responses are available, as the vendor was contacted early but did not reply. Security practitioners should isolate or replace affected devices.
The exploit has been publicly disclosed and may be utilized in the wild, with the CVE published on 2026-03-28. No further real-world exploitation status is confirmed in available data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16937
Vulnerability details
A vulnerability was determined in Wavlink WL-WN579X3-C 231124. This impacts the function sub_4019FC of the file /cgi-bin/firewall.cgi of the component UPNP Handler. Executing a manipulation of the argument UpnpEnabled can lead to stack-based buffer overflow. It is possible to launch…
more
the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in public router web CGI (firewall.cgi) allows remote authenticated RCE; directly maps to exploiting public-facing app and priv escalation to arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates inputs like the UpnpEnabled argument in the CGI script to prevent stack-based buffer overflows from improper restriction of memory operations.
Implements memory safeguards such as stack canaries, ASLR, and non-executable stacks to mitigate exploitation of the stack-based buffer overflow vulnerability.
Mandates identification, reporting, and remediation of flaws like CVE-2026-5004 through vulnerability monitoring, patching, or device replacement to address the unpatched buffer overflow.