Which versions of Wl Wn578w2 are affected by EUVD-2026-12204?

A critical remote code execution vulnerability affects Wavlink WL-WN578W2 wireless devices with a published exploit actively available.. A patch is available.

Is there a public PoC exploit available for EUVD-2026-12204?

Yes, a public proof-of-concept exploit is available for EUVD-2026-12204. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate EUVD-2026-12204?

Within 24 hours: Inventory all Wavlink WL-WN578W2 devices across the organization and isolate affected units from production networks if possible. Within 7 days: Apply the available vendor patch to all identified devices and verify successful deployment. Within 30 days: Conduct post-patch validation testing and review network access logs for signs of exploitation.

Wl Wn578w2 EUVD-2026-12204

Q: What is the CVSS score of EUVD-2026-12204?

EUVD-2026-12204 has a CVSS 4.0 base score of 8.9 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

| CVE-2026-4164 HIGH

Command Injection (CWE-77)

2026-03-15 VulDB

Command Injection Wl Wn578w2

8.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.9 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 21:37 vuln.today

cvss_changed

Severity Changed

Apr 22, 2026 - 21:37 NVD

CRITICAL HIGH

CVSS changed

Apr 22, 2026 - 21:37 NVD

9.8 (CRITICAL) 8.9 (HIGH)

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

EUVD ID Assigned

Mar 15, 2026 - 04:00 euvd

EUVD-2026-12204

Analysis Generated

Mar 15, 2026 - 04:00 vuln.today

Patch released

Mar 15, 2026 - 04:00 nvd

Patch available

CVE Published

Mar 15, 2026 - 03:02 nvd

CRITICAL 9.8

DescriptionCVE.org

A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is the function Delete_Mac_list/SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Executing a manipulation can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. It is recommended to upgrade the affected component.

AnalysisAI

Critical command injection vulnerability in Wavlink WL-WN578W2 wireless routers (firmware version 221110) that allows unauthenticated remote attackers to execute arbitrary commands via specially crafted POST requests to multiple functions in the wireless.cgi script. A public proof-of-concept exploit is available on GitHub, and the vendor has released a patch, making this a high-priority issue for immediate remediation despite no current KEV listing.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send POST request to /cgi-bin/wireless.cgi

Exploit

Inject OS commands in Delete_Mac_list/SetName/GuestWifi parameters

Execution

Execute arbitrary commands on router

Impact

Achieve full system compromise