CVE-2026-7690: Wavlink WL-WN570HA1 Firmware RCE Flaw

CVE-2026-7690 Overview

CVE-2026-7690 is a command injection vulnerability in the Wavlink WL-WN570HA1 wireless range extender running firmware version R70HA1 V1410_221110. The flaw resides in the set_sys_adm function within /cgi-bin/adm.cgi, where the Username argument is not sanitized before being passed to a shell context. Authenticated remote attackers can inject arbitrary operating system commands through this parameter. Wavlink confirmed the issue and removed the affected firmware from its website. The vulnerability only affects products that are no longer supported by the maintainer, so no patch will be issued.

Critical Impact

Remote authenticated attackers can execute arbitrary commands on affected Wavlink devices through the Username parameter, with public exploit details available and no vendor patch planned for this end-of-life product.

Affected Products

• Wavlink WL-WN570HA1 hardware (all units running the affected firmware)
• Wavlink WL-WN570HA1 firmware version R70HA1 V1410_221110
• End-of-life devices no longer maintained by Wavlink

Discovery Timeline

• 2026-05-03 - CVE-2026-7690 published to NVD
• 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-7690

Vulnerability Analysis

The vulnerability is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component). It affects the administrative interface of the WL-WN570HA1 range extender, specifically the set_sys_adm handler in /cgi-bin/adm.cgi. The handler accepts a Username parameter from authenticated administrative requests and uses it in a downstream shell invocation without proper neutralization. An attacker who has valid low-privilege credentials can supply shell metacharacters in the Username field to break out of the intended argument context and execute arbitrary commands on the device. Successful exploitation grants control of the embedded operating system, enabling persistence, lateral movement into adjacent network segments, or use of the device in botnet activity.

Root Cause

The root cause is missing input validation and command argument sanitization in the set_sys_adm function. User-supplied data from the Username parameter is concatenated into a system command string and passed to a shell interpreter. Because special characters such as ;, |, &, and backticks are not filtered or escaped, the parser treats injected payloads as additional commands. This is a common pattern in SOHO networking firmware that relies on CGI scripts wrapping shell utilities for configuration changes.

Attack Vector

Exploitation requires network reachability to the device's administrative web interface and valid authentication at a low privilege level. The attacker submits a crafted POST request to /cgi-bin/adm.cgi invoking set_sys_adm with a malicious Username value containing shell metacharacters and a chained command. The injected command runs with the privileges of the web server process, which on many embedded devices is the root account. Public exploit information is referenced in the Notion writeup and VulDB entry #360860, enabling low-skill replication of the attack.

Detection Methods for CVE-2026-7690

Indicators of Compromise

• HTTP requests to /cgi-bin/adm.cgi containing the set_sys_adm action with shell metacharacters such as ;, |, &&, or backticks in the Username field
• Outbound connections from the WL-WN570HA1 to unfamiliar IP addresses, particularly on ports associated with reverse shells or downloader staging
• Unexpected processes spawned by the embedded web server, such as wget, tftp, nc, or sh

Detection Strategies

• Inspect HTTP request bodies destined for the device's administration URL and alert on non-alphanumeric characters in the Username parameter
• Monitor for anomalous DNS resolutions or outbound traffic originating from IoT network segments where the WL-WN570HA1 resides
• Capture firmware-level logs, where available, and forward them to a centralized log platform for correlation against known exploit signatures

Monitoring Recommendations

• Place affected devices on a segmented VLAN and continuously monitor north-south and east-west traffic for command-and-control patterns
• Track administrative login attempts to the device and alert on successful logins from unexpected source addresses
• Correlate device telemetry with threat intelligence feeds that reference VulDB ID 360860 to identify scanning or exploitation attempts

How to Mitigate CVE-2026-7690

Immediate Actions Required

• Decommission and replace the WL-WN570HA1, since the firmware has been removed from the vendor's website and the product is no longer supported
• Remove the device from internet-facing exposure and block inbound access to its administrative interface at the perimeter firewall
• Rotate any credentials reused on the device, especially administrative accounts that share passwords with other systems

Patch Information

No patch is available. Wavlink confirmed that firmware R70HA1 V1410_221110 has been removed from its website and that the affected product is no longer supported. Replacement with a supported wireless extender from a maintained product line is the only durable remediation. Consult the VulDB advisory #360860 and the vendor disclosure notes for confirmation of end-of-life status.

Workarounds

• Restrict access to the device's web administration interface to a dedicated management VLAN with strict ACLs
• Disable remote administration features and require local-only access for any required configuration changes
• Enforce strong, unique credentials on remaining administrative accounts to raise the bar for the authentication prerequisite
• Monitor the device closely until decommissioning is complete, treating it as untrusted infrastructure

# Example perimeter ACL to block external access to the device's admin interface
iptables -A FORWARD -d <wavlink_device_ip> -p tcp --dport 80 -j DROP
iptables -A FORWARD -d <wavlink_device_ip> -p tcp --dport 443 -j DROP