Impact
The vulnerability exists in the OTA Online Upgrade component of Wavlink WL-NU516U1, specifically in the sub_405AF4 function of adm.cgi. By manipulating the firmware_url argument, an attacker can inject shell commands that the router will execute, leading to remote command execution. This is a classic instance of a command injection flaw and falls under CWE-74 and CWE-77. With successful exploitation, an attacker would gain the ability to run arbitrary commands on the device, potentially compromising the router, exfiltrating configuration data, or using it as a foothold within the local network.
Affected Systems
The affected vendor is Wavlink and the product is the WL‑NU516U1 router model. The specific firmware build impacted is V240425, as identified in the advisory. Any devices running this firmware revision are vulnerable unless the firmware is updated or the feature disabled.
Risk and Exploitability
The CVSS score of 8.6 classifies this as a high severity flaw, while the EPSS score of 9% indicates a higher probability of widespread exploitation at the time of this assessment. It is not listed in the CISA KEV catalog. The remote nature of the attack combined with the fact that the adm.cgi endpoint is publicly reachable (no explicit authentication requirement is stated in the description) means that an attacker who can reach the device over HTTP can craft a request that triggers the command injection. Although the likelihood of exploitation is currently higher, the potential impact remains significant.
OpenCVE Enrichment