Description
A security flaw has been discovered in Wavlink WL-WN579A3 up to 20210219. Affected by this issue is the function DeleteMac of the file /cgi-bin/wireless.cgi. The manipulation of the argument delete_list results in command injection. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command injection via web interface
Action: Patch
AI Analysis

Impact

The flaw resides in the DeleteMac function of wireless.cgi on Wavlink WL‑WN579A3 routers. By supplying specially crafted values to the delete_list parameter, an attacker can cause arbitrary shell commands to be executed on the device. Because the attack is triggered through the web interface, it can be performed without local access, granting the attacker full control over the affected router. The vulnerability is classified as a command injection (CWE‑74) and command injection in external input (CWE‑77).

Affected Systems

The vulnerability affects Wavlink WL‑WN579A3 routers with firmware versions up to and including 20210219. All models shipping with the wireless.cgi file that implements the DeleteMac command are susceptible, including the specific hardware model identified by the vendor product list. No other models or firmware revisions are known to be impacted.

Risk and Exploitability

The CVSS base score is 5.3, denoting moderate severity, and the EPSS score is below 1%, indicating a low probability that the vulnerability will be actively exploited. The vulnerability is not listed in CISA’s KEV catalog, further suggesting no known large‑scale exploitation. Attackers would need to reach the router’s web interface, send a crafted request containing malicious delete_list data, and observe any resulting changes to confirm success. Because the command injection occurs through a remote HTTP endpoint, the attack vector is remote. No external prerequisites beyond web access and the ability to query the router’s CGI scripts are required.

Generated by OpenCVE AI on April 17, 2026 at 19:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to a version that removes or sanitizes the DeleteMac function; if no official update is available, consider disabling the wireless.cgi script or restricting access to the router’s web interface to trusted local networks only.
  • Configure the router’s firewall or access controls to block remote HTTP requests to /cgi-bin/wireless.cgi or to the DeleteMac endpoint if possible.
  • Ensure that any future firmware upgrades include proper input validation for the delete_list parameter, such as explicit whitelisting of acceptable values before passing them to underlying shell commands.
  • Monitor network traffic for anomalous POST requests to /cgi-bin/wireless.cgi and be prepared to apply updates promptly.

Generated by OpenCVE AI on April 17, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Wavlink wl-wn579a3 Firmware
CPEs cpe:2.3:h:wavlink:wl-wn579a3:-:*:*:*:*:*:*:*
cpe:2.3:o:wavlink:wl-wn579a3_firmware:*:*:*:*:*:*:*:*
Vendors & Products Wavlink wl-wn579a3 Firmware

Tue, 17 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wavlink
Wavlink wl-wn579a3
Vendors & Products Wavlink
Wavlink wl-wn579a3

Mon, 16 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Wavlink WL-WN579A3 up to 20210219. Affected by this issue is the function DeleteMac of the file /cgi-bin/wireless.cgi. The manipulation of the argument delete_list results in command injection. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Title Wavlink WL-WN579A3 wireless.cgi DeleteMac command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Wavlink Wl-wn579a3 Wl-wn579a3 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:04:14.698Z

Reserved: 2026-02-15T09:01:34.854Z

Link: CVE-2026-2529

cve-icon Vulnrichment

Updated: 2026-02-17T17:13:56.809Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-16T02:16:07.000

Modified: 2026-02-18T20:02:39.143

Link: CVE-2026-2529

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:30:15Z

Weaknesses