CVE-2026-7691: Wavlink WL-WN570HA1 Firmware RCE Flaw

CVE-2026-7691 Overview

CVE-2026-7691 is a command injection vulnerability in the Wavlink WL-WN570HA1 router running firmware version R70HA1 V1410_221110. The flaw resides in the set_sys_cmd function within /cgi-bin/adm.cgi, where the command argument is passed to a system shell without sanitization. Attackers can exploit the issue remotely over the network with low privileges. The vulnerability has been publicly disclosed and affects a product line that the vendor no longer supports. Wavlink confirmed that the affected firmware has been removed from its website rather than patched. The issue is tracked under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact

Authenticated remote attackers can inject arbitrary operating system commands through the router's administrative CGI interface, gaining shell-level control of the device.

Affected Products

• Wavlink WL-WN570HA1 hardware router
• Wavlink WL-WN570HA1 firmware version R70HA1 V1410_221110
• End-of-life products no longer maintained by the vendor

Discovery Timeline

• 2026-05-03 - CVE-2026-7691 published to NVD
• 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-7691

Vulnerability Analysis

The vulnerability exists in the set_sys_cmd handler exposed by /cgi-bin/adm.cgi on the WL-WN570HA1 administration interface. The handler accepts a user-controlled command parameter and passes the value into a shell execution routine without input filtering or argument escaping. An attacker who can reach the administrative web interface can append shell metacharacters to the parameter and execute arbitrary commands in the context of the web server process, which typically runs as root on consumer routers.

The attack is reachable over the network and requires low privileges according to the published CVSS vector. Because the device is end-of-life, no firmware fix will be issued. Public disclosure of the technical details on third-party platforms increases the likelihood of opportunistic exploitation against exposed devices. Refer to the Notion technical writeup and the VulDB report for further analysis.

Root Cause

The root cause is missing input neutralization on the command argument before it is concatenated into a shell command string. The handler relies on trusted input assumptions but exposes the function through an HTTP-accessible CGI endpoint, breaking that trust boundary.

Attack Vector

Exploitation requires network access to the router's web administration interface and valid low-privilege credentials. An attacker submits a crafted POST or GET request to /cgi-bin/adm.cgi invoking set_sys_cmd with shell metacharacters embedded in the command parameter. The injected payload runs with the privileges of the CGI process. No verified proof-of-concept code is published in the enriched data; see the linked references for exploitation details.

Detection Methods for CVE-2026-7691

Indicators of Compromise

• HTTP requests to /cgi-bin/adm.cgi containing set_sys_cmd with shell metacharacters such as ;, |, &, backticks, or $() in the command parameter
• Outbound connections from the router to unfamiliar hosts following administrative requests, indicating reverse shell or download activity
• Unexpected changes to router DNS settings, firewall rules, or NAT configuration after access to the admin CGI

Detection Strategies

• Inspect web server and CGI access logs on the device or upstream proxies for requests targeting set_sys_cmd with non-alphanumeric payloads
• Deploy network intrusion detection signatures that flag command injection patterns sent to Wavlink administrative endpoints
• Correlate router authentication events with subsequent CGI requests to identify low-privileged accounts performing administrative actions

Monitoring Recommendations

• Monitor for new outbound traffic from router IP addresses, especially to non-ISP destinations and on non-standard ports
• Alert on changes to router firmware version banners, configuration files, and exposed administrative ports
• Track NetFlow records for sustained connections initiated by IoT and networking devices that historically generate minimal egress traffic

How to Mitigate CVE-2026-7691

Immediate Actions Required

• Replace WL-WN570HA1 devices with a currently supported router model, since the vendor has confirmed end-of-life status and removed the firmware rather than issuing a patch
• Remove the affected device from internet-facing deployments and isolate it on a segregated management VLAN until decommissioned
• Rotate all administrative credentials used on the device and any shared credentials that may have been reused

Patch Information

No patch is available. Wavlink confirmed that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from its website. The product is no longer supported by the maintainer, so device replacement is the only durable remediation path.

Workarounds

• Disable remote (WAN-side) administration on the router and restrict the admin web interface to a single trusted management host
• Place the device behind a network firewall that blocks inbound HTTP and HTTPS to the router from untrusted segments
• Enforce strong, unique credentials for any account capable of reaching /cgi-bin/adm.cgi to reduce opportunistic exploitation
• Disable any port forwarding rules or UPnP entries that expose the administrative interface externally

# Configuration example: restrict admin interface access using an upstream firewall (iptables)
iptables -A FORWARD -p tcp -d <router-ip> --dport 80 -s <mgmt-host>/32 -j ACCEPT
iptables -A FORWARD -p tcp -d <router-ip> --dport 443 -s <mgmt-host>/32 -j ACCEPT
iptables -A FORWARD -p tcp -d <router-ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router-ip> --dport 443 -j DROP