Description
A weakness has been identified in Wavlink NU516U1 240425. This issue affects the function wzdapMesh of the file /cgi-bin/adm.cgi. This manipulation causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.
Published: 2026-05-10
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the "wzdapMesh" function of the /cgi-bin/adm.cgi web interface on Wavlink NU516U1 devices. Manipulating input to this endpoint allows an attacker to inject arbitrary operating‑system commands. Once executed, the attacker can modify or read system files, disrupt network services, or use the device as a foothold for further attacks. This aligns with CWE‑77 (command injection) and CWE‑78 (OS command injection). The fact that the exploit has been made available to the public indicates that the flaw is actionable in real‑world scenarios.

Affected Systems

Only the Wavlink NU516U1 firmware build 240425 is confirmed to be vulnerable. No other versions or models are listed as affected.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity, but the lack of an EPSS value and its absence from the KEV list suggests exploitation is not currently widespread. Nevertheless, the remote nature of the input vector and the availability of a public exploit mean that an adversary could trigger the vulnerability from outside the local network if the admin interface is reachable.

Generated by OpenCVE AI on May 10, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Wavlink that fixes the os command injection flaw in adm.cgi.
  • If a patch is not yet available, restrict network access to the /cgi-bin/adm.cgi endpoint using firewall rules or local network segmentation so only trusted administrators can reach it.
  • Disable or tightly secure the administrative interface by requiring VPN access, strong authentication, and logging of all admin‑related activity.

Generated by OpenCVE AI on May 10, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Wavlink NU516U1 240425. This issue affects the function wzdapMesh of the file /cgi-bin/adm.cgi. This manipulation causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.
Title Wavlink NU516U1 adm.cgi wzdapMesh os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-10T03:45:08.687Z

Reserved: 2026-05-09T07:54:49.022Z

Link: CVE-2026-8227

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T05:16:12.407

Modified: 2026-05-10T05:16:12.407

Link: CVE-2026-8227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T05:30:05Z

Weaknesses