Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
A vulnerability was found in Wavlink WL-WN530H4 20220721. This vulnerability affects the function strcat/snprintf of the file /cgi-bin/internet.cgi. The manipulation results in os command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 2026.04.16 is able to resolve this issue. Upgrading the affected component is recommended.
AnalysisAI
OS command injection in Wavlink WL-WN530H4 router's internet.cgi endpoint allows authenticated attackers with high privileges to execute arbitrary system commands remotely. The vulnerability, affecting firmware version 20220721, resides in unsafe use of strcat/snprintf functions handling user input. Public exploit code exists (EPSS risk elevated by POC availability), though exploitation requires administrative credentials (PR:H), limiting automated mass exploitation. Vendor-released firmware patch 2026.04.16 available.
Technical ContextAI
This vulnerability affects the Wavlink WL-WN530H4 wireless router (cpe:2.3:a:wavlink:wl-wn530h4), specifically the CGI handler at /cgi-bin/internet.cgi. The root cause is CWE-78 (OS Command Injection) stemming from improper neutralization of special elements in the strcat/snprintf functions. These C string manipulation functions are being used to construct system commands without adequate input sanitization, allowing attacker-controlled data to break out of intended command boundaries. When processing parameters for routing configuration, the vulnerable code concatenates user input directly into shell commands executed by the router's busybox or embedded Linux environment, enabling injection of arbitrary commands with the privileges of the web server process (typically root on embedded devices).
RemediationAI
Upgrade to Wavlink firmware version 2026.04.16, available from vendor repository at https://dl.wavlink.com/firmware/RD/root_uImage_WN530H4-A_2026.04.16.bin. Verify firmware authenticity via checksum if published. If immediate patching is not feasible, implement compensating controls: (1) Disable remote management access to the router admin panel (typically port 80/443) and restrict access to trusted internal networks only via firewall rules or router settings - eliminates remote attack vector but breaks cloud management features if enabled; (2) Change default admin credentials to strong unique passwords (20+ characters, random) to increase credential-attack resistance; (3) Enable HTTPS-only admin access with certificate pinning if supported to prevent credential interception; (4) Monitor router system logs for unusual command execution patterns or failed authentication attempts; (5) Segment vulnerable routers onto isolated VLANs if supporting non-critical networks until patching. Note: Disabling routing functionality would break core device purpose - not a viable mitigation. Firmware update carries standard router update risks (temporary connectivity loss, potential bricking if interrupted) - schedule during maintenance window with console access available for recovery.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23403