Cyber Resilience

CVE-2026-7690

LowPublic PoC

Published: 03 May 2026

Published
03 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0497 91.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-7690 is a low-severity Injection (CWE-74) vulnerability in Wavlink Wl-Wn570Ha1 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A weakness has been identified in the Wavlink WL-WN570HA1 router running firmware R70HA1 V1410_221110. The issue resides in the set_sys_adm function of /cgi-bin/adm.cgi, where improper handling of the Username argument permits command injection. The flaw is remotely reachable and has been assigned CWE-74 and CWE-77.

An authenticated attacker with low privileges can supply crafted input to the Username parameter and execute arbitrary commands on the device. Public exploit code is available, enabling remote command injection that yields limited effects on confidentiality, integrity, and availability according to the CVSS 4.0 vector.

The vendor has stated that firmware version R70HA1 V1410_221110 has been removed from its website and confirmed the product is no longer supported, indicating no official patches will be issued.

EPSS scores rose from a baseline of 0.0041 to a peak of 0.0106 after disclosure, signaling increased exploitation interest in the unsupported device.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A weakness has been identified in Wavlink WL-WN570HA1 R70HA1 V1410_221110. This issue affects the function set_sys_adm of the file /cgi-bin/adm.cgi. This manipulation of the argument Username causes command injection. It is possible to initiate the attack remotely. The exploit has…

more

been made available to the public and could be used for attacks. Once again the vendors acted very professional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website." This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Remote command injection in public-facing CGI endpoint directly enables exploitation of public-facing apps and Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3662Same vendor: Wavlink
CVE-2026-3661Same vendor: Wavlink
CVE-2026-2615Same vendor: Wavlink
CVE-2026-2529Same vendor: Wavlink
CVE-2026-3612Same vendor: Wavlink
CVE-2025-10324Same vendor: Wavlink
CVE-2024-39367Same vendor: Wavlink
CVE-2024-37186Same vendor: Wavlink
CVE-2024-39783Same vendor: Wavlink
CVE-2024-36295Same vendor: Wavlink

Affected Assets

wavlink
wl-wn570ha1 firmware
r70ha1_v1410_221110

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References