Skip to main content

Wavlink WL-NU516U1-A CVE-2026-13539

| EUVDEUVD-2026-40037 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-06-29 VulDB GHSA-w62x-cjgj-j8jh
7.4
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable CGI handler with low complexity and no user interaction, but PR:L since web-interface authentication is required; memory corruption yields high C/I/A with no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 29, 2026 - 07:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 29, 2026 - 07:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 29, 2026 - 07:37 vuln.today
cvss_changed
CVSS changed
Jun 29, 2026 - 07:37 NVD
8.7 (HIGH) 7.4 (HIGH)
Analysis Generated
Jun 29, 2026 - 07:15 vuln.today

DescriptionCVE.org

A vulnerability was identified in Wavlink WL-NU516U1-A M16U1_V240425. The impacted element is the function sub_407504 of the file /cgi-bin/wireless.cgi of the component POST Parameter Handler. Such manipulation of the argument Guest_ssid leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Stack-based buffer overflow in the Wavlink WL-NU516U1-A wireless range extender (firmware M16U1_V240425) lets a remote, low-privileged attacker corrupt memory by sending an oversized Guest_ssid POST parameter to the sub_407504 function in /cgi-bin/wireless.cgi. The flaw was reported by VulDB, publicly available exploit code exists, and it carries a CVSS 4.0 base score of 7.4; there is no evidence of active exploitation in CISA KEV at this time.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to device web UI
Delivery
Send POST to /cgi-bin/wireless.cgi
Exploit
Overflow Guest_ssid stack buffer in sub_407504
Execution
Overwrite saved return address
Impact
Hijack control flow or crash service

Vulnerability AssessmentAI

Exploitation Exploitation requires reaching the /cgi-bin/wireless.cgi endpoint and submitting an oversized Guest_ssid POST parameter to the sub_407504 handler on a Wavlink WL-NU516U1-A running firmware M16U1_V240425. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) describes a network-reachable, low-complexity attack requiring only low privileges and no user interaction, with high confidentiality, integrity, and availability impact to the vulnerable system (VC:H/VI:H/VA:H) and no scope change to other systems - yielding 7.4 (High). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege access to the device's web interface (for example via default or guest credentials, or an exposed management page) sends a crafted POST request to /cgi-bin/wireless.cgi with an overlong Guest_ssid value. This overflows a fixed-size stack buffer in sub_407504, crashing the service or potentially redirecting execution to attacker-controlled code; a public proof-of-concept for this exact path is available on GitHub.
Remediation Vendor-released patch: apply the fixed Wavlink firmware image dated 2026-06-22 (WINSTAR_NU516U1-WO-A-2026-06-22-5ccde97-mt7628-squashfs-sysupgrade.bin) available at https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U1-WO-A-2026-06-22-5ccde97-mt7628-squashfs-sysupgrade.bin; the vendor responded professionally and quickly released this fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Wavlink WL-NU516U1-A range extenders and segregate any running firmware M16U1_V240425 from critical network segments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13539 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy