Skip to main content

Wavlink WL-NU516U1-A CVE-2026-13538

| EUVDEUVD-2026-40036 LOW
Command Injection (CWE-77)
2026-06-29 VulDB GHSA-ffh8-39gq-j894
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Authenticated network-exploitable command injection yields full OS command execution on the router, warranting C:H/I:H/A:H; PR:L reflects required authentication per CVSS 4.0 input vector.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 29, 2026 - 06:22 NVD
MEDIUM LOW
CVSS changed
Jun 29, 2026 - 06:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jun 29, 2026 - 05:48 vuln.today

DescriptionCVE.org

A vulnerability was determined in Wavlink WL-NU516U1-A M16U1_V240425. The affected element is the function sub_401D68 of the file /cgi-bin/wireless.cgi of the component POST Parameter Handler. This manipulation of the argument SSID2G2/SSID5G2/AuthMethod2/WPAPSK12 causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Command injection in Wavlink WL-NU516U1-A router firmware (M16U1_V240425) allows authenticated remote attackers to execute arbitrary OS commands by submitting crafted POST parameters to the wireless CGI configuration handler. The affected function sub_401D68 within /cgi-bin/wireless.cgi fails to sanitize the SSID2G2, SSID5G2, AuthMethod2, and WPAPSK12 parameters before passing them to OS-level commands. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid admin credentials via default password or credential reuse
Delivery
Send crafted HTTP POST to /cgi-bin/wireless.cgi
Exploit
Inject shell metacharacters in SSID2G2, SSID5G2, AuthMethod2, or WPAPSK12 parameter
Execution
sub_401D68 passes unsanitized input to OS command invocation
Persist
Execute arbitrary commands as router CGI process user
Impact
Achieve persistent device control or pivot to LAN

Vulnerability AssessmentAI

Exploitation Exploitation requires authenticated access to the device's web management interface - the CVSS 4.0 vector specifies PR:L, confirming that at least a low-privilege authenticated session is necessary. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/E:P) with a score of 5.3 reflects the mitigating authentication requirement (PR:L) and the conservative VC:L/VI:L/VA:L impact rating applied by the reporter. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained valid credentials to the Wavlink WL-NU516U1-A web administration panel - whether via credential stuffing, default password abuse, or prior compromise - submits a crafted HTTP POST request to /cgi-bin/wireless.cgi with shell metacharacters (e.g., a semicolon followed by an arbitrary command) embedded in the SSID2G2 or WPAPSK12 parameter. Function sub_401D68 passes the value unsanitized to an OS command invocation, causing arbitrary code to execute with the privileges of the CGI process on the router. …
Remediation The primary remediation is to upgrade the WL-NU516U1-A firmware to the vendor-patched release dated 2026-06-22, downloadable directly from https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U1-WO-A-2026-06-22-5ccde97-mt7628-squashfs-sysupgrade.bin. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13538 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy