Description
A vulnerability was found in Wavlink NU516U1 M16U1_V240425. Affected by this vulnerability is the function wzdrepeater of the file /cgi-bin/adm.cgi. The manipulation of the argument wlan_bssid/sel_Automode/sel_EncrypTyp results in os command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure.
Published: 2026-05-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the wzdrepeater function of the /cgi-bin/adm.cgi script on Wavlink NU516U1 routers. By manipulating the wlan_bssid, sel_Automode, or sel_EncrypTyp parameters, an attacker can inject operating‑system commands, leading to arbitrary command execution on the device. This weakness is a classic example of CWE‑77 (OS Command Injection) and CWE‑78 (OS Command Execution) weaknesses.

Affected Systems

Affected devices are Wavlink NU516U1 routers running firmware version M16U1_V240425. No other versions are explicitly listed in the advisory, so the scope is limited to this model and firmware build.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. EPSS data is not available, so the likelihood of exploitation cannot be quantified from this advisory alone. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly confirmed exploitation yet. However, the description states the exploit has been made public, meaning a remote attacker with network access to the router’s administrative interface could potentially trigger the injection simply by sending crafted HTTP requests.

Generated by OpenCVE AI on May 9, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied firmware update that fixes the wzdrepeater command injection vulnerability.
  • If an update is not yet available, restrict access to the router’s web interface to trusted internal networks or disable remote administration entirely.
  • Continuously monitor the device’s access logs for anomalous requests to /cgi-bin/adm.cgi and investigate any suspicious activity.

Generated by OpenCVE AI on May 9, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Wavlink NU516U1 M16U1_V240425. Affected by this vulnerability is the function wzdrepeater of the file /cgi-bin/adm.cgi. The manipulation of the argument wlan_bssid/sel_Automode/sel_EncrypTyp results in os command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure.
Title Wavlink NU516U1 adm.cgi wzdrepeater os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-09T16:15:09.043Z

Reserved: 2026-05-08T19:52:05.783Z

Link: CVE-2026-8189

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T17:16:08.333

Modified: 2026-05-09T17:16:08.333

Link: CVE-2026-8189

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T17:30:38Z

Weaknesses