Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable CGI handler with low complexity and no user interaction, but PR:L since web-interface authentication is required; memory corruption yields high C/I/A with no scope change.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability was identified in Wavlink WL-NU516U1-A M16U1_V240425. The impacted element is the function sub_407504 of the file /cgi-bin/wireless.cgi of the component POST Parameter Handler. Such manipulation of the argument Guest_ssid leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
AnalysisAI
Stack-based buffer overflow in the Wavlink WL-NU516U1-A wireless range extender (firmware M16U1_V240425) lets a remote, low-privileged attacker corrupt memory by sending an oversized Guest_ssid POST parameter to the sub_407504 function in /cgi-bin/wireless.cgi. The flaw was reported by VulDB, publicly available exploit code exists, and it carries a CVSS 4.0 base score of 7.4; there is no evidence of active exploitation in CISA KEV at this time.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires reaching the /cgi-bin/wireless.cgi endpoint and submitting an oversized Guest_ssid POST parameter to the sub_407504 handler on a Wavlink WL-NU516U1-A running firmware M16U1_V240425. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) describes a network-reachable, low-complexity attack requiring only low privileges and no user interaction, with high confidentiality, integrity, and availability impact to the vulnerable system (VC:H/VI:H/VA:H) and no scope change to other systems - yielding 7.4 (High). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privilege access to the device's web interface (for example via default or guest credentials, or an exposed management page) sends a crafted POST request to /cgi-bin/wireless.cgi with an overlong Guest_ssid value. This overflows a fixed-size stack buffer in sub_407504, crashing the service or potentially redirecting execution to attacker-controlled code; a public proof-of-concept for this exact path is available on GitHub. |
| Remediation | Vendor-released patch: apply the fixed Wavlink firmware image dated 2026-06-22 (WINSTAR_NU516U1-WO-A-2026-06-22-5ccde97-mt7628-squashfs-sysupgrade.bin) available at https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U1-WO-A-2026-06-22-5ccde97-mt7628-squashfs-sysupgrade.bin; the vendor responded professionally and quickly released this fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Wavlink WL-NU516U1-A range extenders and segregate any running firmware M16U1_V240425 from critical network segments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wl Nu516U1 A
View allSame weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40037
GHSA-w62x-cjgj-j8jh