Which versions of Wavlink WL-WN578W2 are affected by CVE-2026-4164?

A critical remote code execution vulnerability affects Wavlink WL-WN578W2 wireless devices with a published exploit actively available.. A patch is available.

Is there a public PoC exploit available for CVE-2026-4164?

Yes, a public proof-of-concept exploit is available for CVE-2026-4164. Prioritise patching immediately. EPSS: 0.2%.

Wavlink WL-WN578W2 CVE-2026-4164

Q: What is the CVSS score of CVE-2026-4164?

CVE-2026-4164 has a CVSS 4.0 base score of 8.9 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

EUVD-2026-12204 HIGH

Command Injection (CWE-77)

2026-03-15 VulDB

Command Injection

8.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 21:37 vuln.today

cvss_changed

Severity Changed

Apr 22, 2026 - 21:37 NVD

CRITICAL HIGH

CVSS changed

Apr 22, 2026 - 21:37 NVD

9.8 (CRITICAL) 8.9 (HIGH)

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

EUVD ID Assigned

Mar 15, 2026 - 04:00 euvd

EUVD-2026-12204

Analysis Generated

Mar 15, 2026 - 04:00 vuln.today

Patch released

Mar 15, 2026 - 04:00 nvd

Patch available

CVE Published

Mar 15, 2026 - 03:02 nvd

CRITICAL 9.8

DescriptionNVD

A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is the function Delete_Mac_list/SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Executing a manipulation can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. It is recommended to upgrade the affected component.

AnalysisAI

Critical command injection vulnerability in Wavlink WL-WN578W2 wireless routers (firmware version 221110) that allows unauthenticated remote attackers to execute arbitrary commands via specially crafted POST requests to multiple functions in the wireless.cgi script. A public proof-of-concept exploit is available on GitHub, and the vendor has released a patch, making this a high-priority issue for immediate remediation despite no current KEV listing.

RemediationAI

Within 24 hours: Inventory all Wavlink WL-WN578W2 devices across the organization and isolate affected units from production networks if possible. Within 7 days: Apply the available vendor patch to all identified devices and verify successful deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-4164 vulnerability details – vuln.today

Back

Wavlink WL-WN578W2 CVE-2026-4164

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Wavlink WL-WN578W2 CVE-2026-4164

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code