Impact
A flaw has been identified in the Delete_Mac_list, SetName, and GuestWifi functions of the /cgi-bin/wireless.cgi component in Wavlink WL-WN578W2 routers. An attacker can craft a POST request that supplies malicious input; based on the description, it is inferred that this input can be injected directly into the system shell. This allows arbitrary command execution with the privileges of the web service process, a classic case of CWE-74 and CWE-77. The flaw can be exploited remotely via a crafted POST request to /cgi-bin/wireless.cgi.
Affected Systems
Affected hardware includes Wavlink WL-WN578W2 routers running the 221110 firmware release. The vulnerability applies to devices that expose the /cgi-bin/wireless.cgi endpoint and provide the GuestWifi functionality, as documented by the vendor.
Risk and Exploitability
The CVSS base score of 9.3 indicates a critical severity, while the EPSS score of 2% reflects a relatively low current exploitation probability. The vulnerability is not catalogued in the CISA KEV list. An exploit has been published and is available, so the risk remains non-zero, and the attack can be performed remotely via a POST request to wireless.cgi.
OpenCVE Enrichment