CVE-2026-2527
Command Injection in Wavlink WL-WN579A3 /cgi-bin/login.cgi
Publication date: 2026-02-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wavlink | wl-wn579a3_firmware | to 2021-02-19 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2527 is a command injection vulnerability found in the Wavlink WL-WN579A3 device, specifically in the /cgi-bin/login.cgi file of firmware versions up to 20210219.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the device improperly handles the "key" argument, allowing an attacker to manipulate this argument to inject arbitrary commands.'}, {'type': 'paragraph', 'content': 'This means an attacker can remotely execute commands on the device without authentication, potentially taking control of it.'}, {'type': 'paragraph', 'content': 'The issue is classified under CWE-77, indicating that commands are constructed using externally influenced input without proper neutralization of special characters.'}, {'type': 'paragraph', 'content': 'The vulnerability has been publicly disclosed, with proof-of-concept exploits available, and the vendor did not respond to early notifications.'}] [1, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to execute arbitrary commands on your Wavlink WL-WN579A3 device.
Such command injection can compromise the confidentiality, integrity, and availability of the device.
- Attackers could take control of the device remotely.
- They could disrupt device operations or use the device as a foothold for further attacks.
- Because the exploit requires no user interaction and can be performed remotely, the risk of compromise is significant.
No known countermeasures exist, and the vendor did not provide any mitigation, so replacing the affected product is recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability can be detected by monitoring network traffic or system logs for attempts to access the /cgi-bin/login.cgi endpoint with manipulation of the "key" argument, which is used to inject commands remotely.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves command injection via the "key" parameter, detection commands could include inspecting HTTP requests for suspicious payloads targeting this parameter.'}, {'type': 'list_item', 'content': 'Use network traffic analysis tools (e.g., tcpdump, Wireshark) to filter HTTP requests to /cgi-bin/login.cgi and look for unusual or suspicious values in the "key" parameter.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture relevant traffic: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/login.cgi'"}, {'type': 'list_item', 'content': 'Check device logs for any unexpected command execution or errors related to the login.cgi script.'}, {'type': 'paragraph', 'content': 'Note that a proof-of-concept exploit is publicly available, so scanning for known exploit signatures or using vulnerability scanners that include this CVE may also help detect exploitation attempts.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
There are no known countermeasures or patches provided by the vendor for this vulnerability.
Immediate mitigation steps include replacing the affected Wavlink WL-WN579A3 device with an alternative product that is not vulnerable.
Additionally, restricting remote access to the device, disabling the vulnerable service if possible, and monitoring for exploitation attempts can help reduce risk.