Skip to main content

Wavlink NU516U1 CVE-2026-8190

| EUVDEUVD-2026-28918 LOW
OS Command Injection (CWE-78)
2026-05-09 VulDB GHSA-hm76-m6wf-p499
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 09, 2026 - 18:22 NVD
MEDIUM LOW
CVSS changed
May 09, 2026 - 18:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 09, 2026 - 18:00 vuln.today
CVE Published
May 09, 2026 - 17:15 nvd
MEDIUM 6.3

DescriptionCVE.org

A vulnerability was determined in Wavlink NU516U1 M16U1_V240425. Affected by this issue is the function wan of the file /cgi-bin/adm.cgi. This manipulation of the argument ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway is directly passed by the attacker/so we can control the ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway causes os command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.

AnalysisAI

OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary system commands via unsanitized WAN configuration parameters (ppp_username, ppp_passwd, rwan_ip, rwan_mask, rwan_gateway) in the /cgi-bin/adm.cgi wan function. Publicly available exploit code exists and the vendor has been notified.

Technical ContextAI

The vulnerability resides in the WAN configuration endpoint of Wavlink's administrative CGI interface. The wan function in /cgi-bin/adm.cgi accepts multiple parameters related to PPP (Point-to-Point Protocol) and remote WAN settings but fails to properly sanitize user-supplied input before passing these values to operating system command execution routines. This represents a classic OS command injection flaw (CWE-78) where shell metacharacters embedded in the ppp_username, ppp_passwd, rwan_ip, rwan_mask, or rwan_gateway fields are interpreted as command syntax rather than literal data. The vulnerability affects the Wavlink NU516U1 wireless router/gateway device across affected firmware versions.

RemediationAI

Primary mitigation is to install a patched firmware version from Wavlink if available; contact Wavlink support for the current firmware release that addresses CVE-2026-8190, as no specific patch version number is provided in the available references. Immediate compensating control: disable remote management access to the /cgi-bin/adm.cgi endpoint from untrusted networks by restricting HTTP(S) access to the router's administrative interface to authorized internal IP ranges only, or by disabling WAN-facing access entirely if the router is not required for remote administration. If administrative access must be retained, enforce strong authentication (non-default credentials, disable any default accounts) and enable IP whitelisting at the firewall level. Monitor WAN configuration logs for suspicious parameter values containing shell metacharacters (backticks, semicolons, pipes, $() syntax). For networks with multiple Wavlink devices, prioritize remediation for units directly exposed to untrusted networks (internet-accessible, guest networks, or multi-tenant deployments) over internal-only deployments. Note: These mitigations reduce attack surface but do not eliminate the underlying command injection flaw - a proper patch is essential for complete remediation.

Share

CVE-2026-8190 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy