Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was determined in Wavlink NU516U1 M16U1_V240425. Affected by this issue is the function wan of the file /cgi-bin/adm.cgi. This manipulation of the argument ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway is directly passed by the attacker/so we can control the ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway causes os command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
AnalysisAI
OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary system commands via unsanitized WAN configuration parameters (ppp_username, ppp_passwd, rwan_ip, rwan_mask, rwan_gateway) in the /cgi-bin/adm.cgi wan function. Publicly available exploit code exists and the vendor has been notified.
Technical ContextAI
The vulnerability resides in the WAN configuration endpoint of Wavlink's administrative CGI interface. The wan function in /cgi-bin/adm.cgi accepts multiple parameters related to PPP (Point-to-Point Protocol) and remote WAN settings but fails to properly sanitize user-supplied input before passing these values to operating system command execution routines. This represents a classic OS command injection flaw (CWE-78) where shell metacharacters embedded in the ppp_username, ppp_passwd, rwan_ip, rwan_mask, or rwan_gateway fields are interpreted as command syntax rather than literal data. The vulnerability affects the Wavlink NU516U1 wireless router/gateway device across affected firmware versions.
RemediationAI
Primary mitigation is to install a patched firmware version from Wavlink if available; contact Wavlink support for the current firmware release that addresses CVE-2026-8190, as no specific patch version number is provided in the available references. Immediate compensating control: disable remote management access to the /cgi-bin/adm.cgi endpoint from untrusted networks by restricting HTTP(S) access to the router's administrative interface to authorized internal IP ranges only, or by disabling WAN-facing access entirely if the router is not required for remote administration. If administrative access must be retained, enforce strong authentication (non-default credentials, disable any default accounts) and enable IP whitelisting at the firewall level. Monitor WAN configuration logs for suspicious parameter values containing shell metacharacters (backticks, semicolons, pipes, $() syntax). For networks with multiple Wavlink devices, prioritize remediation for units directly exposed to untrusted networks (internet-accessible, guest networks, or multi-tenant deployments) over internal-only deployments. Note: These mitigations reduce attack surface but do not eliminate the underlying command injection flaw - a proper patch is essential for complete remediation.
OS command injection in Wavlink NU516U1 240425 via the ipaddr parameter in /cgi-bin/login.cgi allows authenticated remot
Remote command injection in Wavlink NU516U1 240425 allows authenticated attackers to execute arbitrary OS commands via m
OS command injection in Wavlink NU516U1 240425 wireless configuration module allows authenticated remote attackers to ex
Remote OS command injection in Wavlink NU516U1 240425 via the wzdapMesh function in /cgi-bin/adm.cgi allows authenticate
Wavlink NU516U1 M16U1_V240425 is vulnerable to remote OS command injection through the wzdap function in /cgi-bin/adm.cg
Remote OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary
Remote authenticated command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated attackers to execute arbitr
OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary command
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28918
GHSA-hm76-m6wf-p499