Impact
Wavlink WL-NU516U1-A firmware contains a stack-based buffer overflow in the wireless.cgi subroutine that processes the Guest_ssid POST parameter. By sending a specially crafted Guest_ssid value, an attacker can overflow the stack and potentially execute arbitrary code. The vulnerability is exploitable from outside the local network and a public exploit exists, indicating that attackers can target devices without physical access.
Affected Systems
The vulnerability affects the Wavlink WL-NU516U1-A model, specifically firmware version M16U1_V240425. Administrators should verify if their deployment runs this firmware and whether the device is exposed to the Internet.
Risk and Exploitability
The CVSS score of 8.7 classifies this issue as high severity, and the lack of an EPSS score does not diminish the known existence of a publicly available exploit. Since the vulnerability is remote, it offers a straightforward attack path for external adversaries, and the device is not listed in the CISA KEV catalog but should still be treated with urgency. The CWE identifiers CWE-119 and CWE-121 further highlight the risk of uncontrolled memory writes and stack corruption.
OpenCVE Enrichment