# Exploit Title: Wavlink WL-WN579X3-C firewall.cgi UPNP Stack-based Buffer Overflow # CVE: CVE-2026-5004 # Date: 2026-03-29 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Author Blog: https://banyamersecurity.com/blog/ # Vendor Homepage: https://www.wavlink.com # Affected: Wavlink WL-WN579X3-C firmware version 231124 # Tested on: Wavlink WL-WN579X3-C (firmware 231124) # Platform: MIPS # Exploit Type: Remote Stack-based Buffer Overflow # CVSS: 8.8 (High) # Description: A stack-based buffer overflow exists in /cgi-bin/firewall.cgi when the "firewall" parameter is set to "UPNP". The UpnpEnabled parameter is copied into a small 8-byte stack buffer (in function sub_4019FC), but uci_init writes ~40 bytes, causing a 32+ byte overflow that corrupts the saved return address. This vulnerability can be triggered remotely without authentication if the web interface is exposed, leading to Denial of Service (device crash / reboot). With additional ROP engineering, remote code execution may be possible. # References: - https://github.com/Litengzheng/vul_db/blob/main/WL-WN579X3-C/vul_200/README.md - https://vuldb.com/vuln/353891 - https://nvd.nist.gov/vuln/detail/CVE-2026-5004 # Usage: python3 exploit.py <target_ip> # PoC Code: