Description
A weakness has been identified in Wavlink WL-WN570HA1 R70HA1 V1410_221110. This issue affects the function set_sys_adm of the file /cgi-bin/adm.cgi. This manipulation of the argument Username causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Once again the vendors acted very professional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website." This vulnerability only affects products that are no longer supported by the maintainer.
Published: 2026-05-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary system commands through the Username parameter of the set_sys_adm function in the adm.cgi file, leading to remote code execution on the device. This cmd‑injection weakness (CWE‑74) and its potential misuse of system privileges (CWE‑77) enable an attacker to run any commands with the privileges of the gateway process, compromising device integrity and confidentiality.

Affected Systems

The affected product is the Wavlink WL‑WN570HA1 router running firmware R70HA1 V1410_221110, which is no longer supported and has been removed from the vendor’s website. No newer firmware versions are currently available for this hardware model.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the vulnerability is exploitable remotely. Although there is no EPSS value or KEV listing, the publicly available exploit code increases the likelihood of real‑world attacks against devices that remain online. Because the device is unsupported, the risk is higher as no vendor patches are forthcoming.

Generated by OpenCVE AI on May 3, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router to a supported firmware version if a newer build is available from the vendor
  • Disable external access to the /cgi-bin/adm.cgi interface through network segmentation or firewall rules
  • If upgrade is impossible, isolate the device from untrusted networks and monitor for anomalous traffic on the administration interface

Generated by OpenCVE AI on May 3, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Wavlink
Wavlink wl-wn570ha1
Vendors & Products Wavlink
Wavlink wl-wn570ha1

Sun, 03 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Wavlink WL-WN570HA1 R70HA1 V1410_221110. This issue affects the function set_sys_adm of the file /cgi-bin/adm.cgi. This manipulation of the argument Username causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Once again the vendors acted very professional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website." This vulnerability only affects products that are no longer supported by the maintainer.
Title Wavlink WL-WN570HA1 adm.cgi set_sys_adm command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Wavlink Wl-wn570ha1
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T09:45:10.873Z

Reserved: 2026-05-02T16:33:32.194Z

Link: CVE-2026-7690

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T10:16:17.660

Modified: 2026-05-03T10:16:17.660

Link: CVE-2026-7690

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T21:32:38Z

Weaknesses