Description
A weakness has been identified in Wavlink NU516U1 240425. This issue affects the function wzdapMesh of the file /cgi-bin/adm.cgi. This manipulation causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.
Published: 2026-05-10
Score: 5.3 Medium
EPSS: 4.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the wzdapMesh function of /cgi-bin/adm.cgi on Wavlink NU516U1 routers. It allows an attacker to submit crafted input that triggers an operating‑system command injection (CWE‑77, CWE‑78). The CVE description confirms that arbitrary OS commands can be executed remotely. While the description does not list the exact consequences, it is inferred that, once executed, an attacker could potentially read, modify, or delete system files, disrupt network services, or use the device as a foothold for further attacks. These potential impacts are not explicitly stated but are typical for command‑injection flaws.

Affected Systems

Only the Wavlink NU516U1 model with firmware build 240425 is explicitly marked as vulnerable. No other firmware revisions or device variants are listed as affected, so administrators should confirm the exact firmware version on their network equipment.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity in terms of confidentiality, integrity, and availability. The EPSS score of 5% shows that exploitation is not yet widespread, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is remote – the web‑based /cgi-bin/adm.cgi interface can be accessed from outside the local network if not properly restricted. Because a public exploit is available, an adversary could trigger the injection from untrusted networks, making the risk non‑negligible in environments where the admin interface is exposed.

Generated by OpenCVE AI on June 18, 2026 at 13:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware release from Wavlink that fixes the command‑injection defect in adm.cgi.
  • If a patch is not yet available, restrict external access to the /cgi-bin/adm.cgi endpoint using firewall rules or device‑level ACLs so that only trusted administrators or VPN connections can reach it.
  • Enforce strong authentication for the administrative interface, isolate it within a VLAN or DMZ, and require VPN usage for remote management.
  • Monitor administrative logs for anomalous activity and perform regular integrity checks on system files to detect potential tampering.

Generated by OpenCVE AI on June 18, 2026 at 13:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wavlink wl-nu516u1 Firmware
CPEs cpe:2.3:h:wavlink:wl-nu516u1:-:*:*:*:*:*:*:*
cpe:2.3:o:wavlink:wl-nu516u1_firmware:m16u1_v240425:*:*:*:*:*:*:*
Vendors & Products Wavlink wl-nu516u1 Firmware

Mon, 11 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Wavlink
Wavlink wl-nu516u1
Vendors & Products Wavlink
Wavlink wl-nu516u1

Sun, 10 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Wavlink NU516U1 240425. This issue affects the function wzdapMesh of the file /cgi-bin/adm.cgi. This manipulation causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.
Title Wavlink NU516U1 adm.cgi wzdapMesh os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Wavlink Wl-nu516u1 Wl-nu516u1 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-11T17:03:20.576Z

Reserved: 2026-05-09T07:54:49.022Z

Link: CVE-2026-8227

cve-icon Vulnrichment

Updated: 2026-05-11T17:03:13.150Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-10T05:16:12.407

Modified: 2026-06-17T11:03:40.783

Link: CVE-2026-8227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:15:15Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')