CVE-2026-2548 is a medium-severity command injection vulnerability affecting the WAYOS FBM-220G router firmware version 24.10.19. The vulnerability resides in the function sub_40F820 of the rc file, which processes arguments related to UPnP settings: upnp_waniface, upnp_ssdp_interval, and upnp_max_age. By manipulating these arguments, an attacker with low privileges can inject arbitrary commands that the system executes, potentially leading to full compromise of the device. The attack vector is remote network access, requiring no user interaction, which increases the risk of exploitation in exposed environments. The vendor was notified early but has not issued any response or patch, leaving the vulnerability unmitigated. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability at a low to medium level (VC:L, VI:L, VA:L). No known exploits have been reported in the wild, but the lack of vendor response and patch availability increases the urgency for organizations to implement compensating controls. The vulnerability could allow attackers to execute arbitrary commands, potentially leading to device takeover, network disruption, or pivoting to other internal systems.

The primary impact of CVE-2026-2548 is unauthorized remote command execution on affected WAYOS FBM-220G devices. This can lead to full compromise of the router, allowing attackers to alter configurations, intercept or redirect network traffic, disrupt network availability, or use the device as a foothold for further attacks within an organization's network. Given the device's role in network infrastructure, exploitation could degrade network performance or cause outages, impacting business operations. Confidentiality may be compromised if attackers access sensitive network data. Integrity of network configurations and data could be altered, and availability may be disrupted through denial-of-service conditions or malicious reconfiguration. The medium CVSS score reflects moderate impact, but the ease of remote exploitation without user interaction elevates the risk. Organizations relying on this hardware for critical network functions face operational and security risks until remediation is applied.

Since no official patch or vendor response is available, organizations should implement the following mitigations: 1) Immediately restrict remote access to the management interfaces of WAYOS FBM-220G devices, especially those exposing UPnP services, by using network segmentation and firewall rules. 2) Disable UPnP functionality if it is not essential, as this is the attack vector for the vulnerability. 3) Monitor network traffic for unusual or suspicious activity targeting the affected parameters (upnp_waniface, upnp_ssdp_interval, upnp_max_age) or unexpected command execution patterns. 4) Employ intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect exploitation attempts. 5) Consider replacing affected devices with alternative hardware from vendors with active security support if mitigation is not feasible. 6) Maintain strict access controls and audit logs on network devices to detect and respond to potential compromises. 7) Stay alert for any future vendor advisories or patches and apply them promptly once available.