Description
A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is the function Delete_Mac_list/SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Executing a manipulation can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. It is recommended to upgrade the affected component.
Published: 2026-03-15
Score: 9.3 Critical
EPSS: 2.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw has been identified in the Delete_Mac_list, SetName, and GuestWifi functions of the /cgi-bin/wireless.cgi component in Wavlink WL-WN578W2 routers. An attacker can craft a POST request that supplies malicious input; based on the description, it is inferred that this input can be injected directly into the system shell. This allows arbitrary command execution with the privileges of the web service process, a classic case of CWE-74 and CWE-77. The flaw can be exploited remotely via a crafted POST request to /cgi-bin/wireless.cgi.

Affected Systems

Affected hardware includes Wavlink WL-WN578W2 routers running the 221110 firmware release. The vulnerability applies to devices that expose the /cgi-bin/wireless.cgi endpoint and provide the GuestWifi functionality, as documented by the vendor.

Risk and Exploitability

The CVSS base score of 9.3 indicates a critical severity, while the EPSS score of 2% reflects a relatively low current exploitation probability. The vulnerability is not catalogued in the CISA KEV list. An exploit has been published and is available, so the risk remains non-zero, and the attack can be performed remotely via a POST request to wireless.cgi.

Generated by OpenCVE AI on June 18, 2026 at 10:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to the latest version available from Wavlink.
  • Disable the GuestWifi feature if it is not required.
  • Restrict external access to the /cgi-bin/wireless.cgi endpoint using firewall rules or a VPN.
  • Monitor device logs for suspicious POST requests to wireless.cgi.

Generated by OpenCVE AI on June 18, 2026 at 10:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wavlink wl-wn578w2
Vendors & Products Wavlink wl-wn578w2

Sun, 15 Mar 2026 03:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is the function Delete_Mac_list/SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Executing a manipulation can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. It is recommended to upgrade the affected component.
Title Wavlink WL-WN578W2 POST Request wireless.cgi GuestWifi command injection
First Time appeared Wavlink
Wavlink wl-wn578w2 Firmware
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:o:wavlink:wl-wn578w2_firmware:*:*:*:*:*:*:*:*
Vendors & Products Wavlink
Wavlink wl-wn578w2 Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Wavlink Wl-wn578w2 Wl-wn578w2 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-17T13:42:57.181Z

Reserved: 2026-03-14T12:21:53.308Z

Link: CVE-2026-4164

cve-icon Vulnrichment

Updated: 2026-03-17T13:42:53.112Z

cve-icon NVD

Status : Deferred

Published: 2026-03-16T14:19:55.380

Modified: 2026-06-17T10:56:05.647

Link: CVE-2026-4164

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T10:15:03Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')