Skip to main content

Wl Wn579a3 CVE-2026-4163

| EUVDEUVD-2026-12192 HIGH
Command Injection (CWE-77)
2026-03-14 VulDB
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Severity Changed
Apr 22, 2026 - 21:37 NVD
CRITICAL HIGH
CVSS changed
Apr 22, 2026 - 21:37 NVD
9.8 (CRITICAL) 8.9 (HIGH)
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 14, 2026 - 23:00 euvd
EUVD-2026-12192
Analysis Generated
Mar 14, 2026 - 23:00 vuln.today
Patch released
Mar 14, 2026 - 23:00 nvd
Patch available
CVE Published
Mar 14, 2026 - 22:32 nvd
CRITICAL 9.8

DescriptionCVE.org

A vulnerability was detected in Wavlink WL-WN579A3 220323. This issue affects the function SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. Upgrading the affected component is recommended.

AnalysisAI

Critical command injection vulnerability in Wavlink WL-WN579A3 wireless router firmware version 220323, allowing unauthenticated remote attackers to execute arbitrary commands via the SetName/GuestWifi functions in /cgi-bin/wireless.cgi. A public proof-of-concept exploit is available, and while a vendor patch exists, the vulnerability has not yet been added to CISA's KEV catalog despite its high severity (CVSS 9.8).

Technical ContextAI

The vulnerability affects the Wavlink WL-WN579A3 wireless access point/router (CPE: cpe:2.3:a:wavlink:wl-wn579a3:*:*:*:*:*:*:*:*). It stems from improper input validation in the POST request handler, specifically in the SetName and GuestWifi functions within the /cgi-bin/wireless.cgi script. This is a classic command injection vulnerability (CWE-77), where user-supplied input is passed to system commands without proper sanitization, allowing attackers to inject arbitrary OS commands that execute with the privileges of the web server process.

RemediationAI

Immediate patching is strongly recommended. Wavlink has released a patched firmware version dated 2026-03-10 (build 94f93d4) available at: https://dl.wavlink.com/firmware/RD/WINSTAR_WN579A3-A-2026-03-10-94f93d4-WO-mt7628-squashfs-sysupgrade.bin. As a temporary mitigation, restrict access to the device's web interface to trusted networks only and disable remote management features if possible. Monitor for suspicious POST requests to /cgi-bin/wireless.cgi, particularly those targeting SetName or GuestWifi functions.

Share

CVE-2026-4163 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy