Description
A vulnerability has been found in Wavlink NU516U1 M16U1_V240425. Affected is the function change_wifi_password of the file /cgi-bin/adm.cgi. The manipulation of the argument wl_channel/wl_Pass/EncrypType leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.
Published: 2026-05-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is located in the change_wifi_password function of the adm.cgi script on Wavlink NU516U1 routers. By manipulating the wl_channel, wl_Pass, or EncrypType parameters, an unauthenticated attacker can inject arbitrary operating‑system commands. This leads to full remote code execution on the device, allowing an attacker to modify configuration, install malware, or hijack the network. The weakness is a classic OS command injection identified as CWE‑77 and CWE‑78.

Affected Systems

Affected devices are Wavlink NU516U1 routers running firmware M16U1_V240425. No additional version range was provided, but any device with the stated firmware build carries the flaw.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate base severity, yet the nature of OS command injection is high impact. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, but the public disclosure and remote attack surface suggest a tangible risk. Exploitation requires network access to the device’s web interface, and the attacker does not need prior authentication. Given the potential for complete device compromise, the risk is significant for exposed devices.

Generated by OpenCVE AI on May 9, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware that removes the command‑injection flaw on Wavlink NU516U1 routers.
  • Restrict access to the /cgi‑bin/adm.cgi administrative interface to the local network or a trusted management VLAN.
  • Disable or remove the ability to change the Wi‑Fi password via the web interface, or restrict that capability to privileged users through access control.

Generated by OpenCVE AI on May 9, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Wavlink NU516U1 M16U1_V240425. Affected is the function change_wifi_password of the file /cgi-bin/adm.cgi. The manipulation of the argument wl_channel/wl_Pass/EncrypType leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.
Title Wavlink NU516U1 adm.cgi change_wifi_password os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-09T15:15:09.621Z

Reserved: 2026-05-08T19:52:02.937Z

Link: CVE-2026-8188

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T16:16:08.870

Modified: 2026-05-09T16:16:08.870

Link: CVE-2026-8188

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T16:30:37Z

Weaknesses