CVE-2026-2548 is a command injection vulnerability identified in the WAYOS FBM-220G router firmware version 24.10.19. The flaw resides in the function sub_40F820 within the rc file, where improper sanitization of input parameters related to UPnP settings—specifically upnp_waniface, upnp_ssdp_interval, and upnp_max_age—allows an attacker to inject arbitrary commands. This vulnerability can be exploited remotely without requiring authentication or user interaction, making it particularly dangerous. The attack vector involves sending manipulated arguments to the vulnerable function, which then executes injected commands on the underlying operating system. The vendor was notified early but has not issued any response or patch, leaving devices exposed. The CVSS 4.0 base score of 5.3 indicates a medium severity, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability impacts confidentiality, integrity, and availability due to the potential for arbitrary command execution, which could lead to data theft, device takeover, or denial of service. No known exploits are currently reported in the wild, but the lack of vendor response increases risk. The device is typically deployed in network edge environments, making it a critical point for attackers seeking to compromise network infrastructure.

For European organizations, exploitation of this vulnerability could result in unauthorized remote control of network devices, leading to data breaches, network disruption, or use of compromised devices as pivot points for further attacks. Given the device’s role in network management and routing, attackers could intercept or manipulate traffic, degrade service availability, or exfiltrate sensitive information. The absence of vendor patches increases exposure duration, raising the risk of exploitation. Organizations relying on WAYOS FBM-220G in critical infrastructure, such as ISPs, enterprises, or government networks, face heightened risk. The medium severity rating suggests moderate but tangible impact, especially if exploited at scale or combined with other vulnerabilities. The vulnerability’s remote, unauthenticated nature means attackers can operate stealthily without user interaction, increasing the threat to confidentiality and integrity of network communications.

1. Immediately isolate affected WAYOS FBM-220G devices from untrusted networks or restrict access to management interfaces via firewall rules. 2. Disable UPnP functionality on the device if possible, as the vulnerability is linked to UPnP parameter handling. 3. Monitor network traffic for unusual UPnP requests or command injection patterns targeting the device. 4. Employ network segmentation to limit the device’s exposure and prevent lateral movement in case of compromise. 5. Use intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics for command injection attempts. 6. Maintain up-to-date asset inventories to identify all affected devices and prioritize remediation. 7. Engage with WAYOS support channels persistently for patch availability or consider alternative hardware if no fix is forthcoming. 8. Implement strict access controls and logging on network devices to detect and respond to suspicious activities promptly. 9. Consider deploying network-level anomaly detection tools to identify exploitation attempts. 10. Prepare incident response plans specifically addressing potential compromise of network infrastructure devices.