Description
A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425. This vulnerability affects the function wzdap of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument EncrypType/wl_Pass is directly passed by the attacker/so we can control the EncrypType/wl_Pass results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
Published: 2026-05-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the wzdap function of the /cgi-bin/adm.cgi script on the Wavlink NU516U1 allows an attacker to inject arbitrary OS commands via the EncrypType/wl_Pass argument. The supplied value is passed directly to the operating system without validation, giving the attacker control over system command execution. The weakness touches both CWE‑77 (OS Command Injection) and CWE‑78 (OS Command Injection through Input).

Affected Systems

The affected vendor is Wavlink, with the specific product model NU516U1. The vulnerability exists in firmware build M16U1_V240425. No other versions or models are listed as affected.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The flaw can be triggered remotely via HTTP requests to /cgi-bin/adm.cgi, and a public exploit is available. Once exploited, an attacker can run arbitrary commands on the device, potentially leading to full system compromise.

Generated by OpenCVE AI on May 9, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s firmware update that removes OS command injection from the wzdap function.
  • Block or restrict external access to the /cgi-bin/adm.cgi endpoint using a firewall or network ACL.
  • If an update is unavailable, disable the adm.cgi interface or isolate the device from untrusted networks.

Generated by OpenCVE AI on May 9, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425. This vulnerability affects the function wzdap of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument EncrypType/wl_Pass is directly passed by the attacker/so we can control the EncrypType/wl_Pass results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
Title Wavlink NU516U1 adm.cgi wzdap os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-09T18:30:11.631Z

Reserved: 2026-05-08T19:52:14.500Z

Link: CVE-2026-8192

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T19:16:10.127

Modified: 2026-05-09T19:16:10.127

Link: CVE-2026-8192

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T19:30:40Z

Weaknesses