Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425. This vulnerability affects the function wzdap of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument EncrypType/wl_Pass is directly passed by the attacker/so we can control the EncrypType/wl_Pass results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
AnalysisAI
Wavlink NU516U1 M16U1_V240425 is vulnerable to remote OS command injection through the wzdap function in /cgi-bin/adm.cgi, where the EncrypType and wl_Pass parameters are passed unsanitized to system commands. An authenticated remote attacker can manipulate these arguments to execute arbitrary commands with the privileges of the web server process. Exploit code is publicly available (CVSS 6.3, EPSS probability indicated by E:P vector).
Technical ContextAI
The vulnerability stems from CWE-78 (OS Command Injection), where user-supplied input from the EncrypType and wl_Pass CGI parameters in the adm.cgi script are directly concatenated into shell command execution without proper sanitization or parameterization. The wzdap function processes these parameters as part of network configuration commands, allowing attackers to break out of the intended command context and inject arbitrary shell metacharacters (pipes, semicolons, command substitution) to execute unintended system commands. This is a classic command injection flaw common in legacy embedded device management interfaces that construct system commands via string concatenation rather than using safe APIs.
RemediationAI
Contact Wavlink support immediately for a patched firmware version addressing this command injection vulnerability. If a security update is available for the NU516U1, upgrade to the latest firmware release from Wavlink. Interim compensating controls: (1) Restrict access to the web management interface (/cgi-bin/adm.cgi) using network firewall rules to limit connectivity to trusted administrative networks or VPNs only-this significantly reduces the attack surface since PR:L authentication is required; (2) Change default web interface credentials and enforce strong, unique passwords if the device ships with defaults; (3) Disable remote management if not operationally required, disabling the HTTP/HTTPS management port. Trade-offs: network access restrictions may complicate legitimate administration, and disabling remote management eliminates out-of-office device management capability. Monitor vendor advisory pages at https://vuldb.com/vuln/362344 for patch availability confirmation.
OS command injection in Wavlink NU516U1 240425 via the ipaddr parameter in /cgi-bin/login.cgi allows authenticated remot
Remote command injection in Wavlink NU516U1 240425 allows authenticated attackers to execute arbitrary OS commands via m
OS command injection in Wavlink NU516U1 240425 wireless configuration module allows authenticated remote attackers to ex
Remote OS command injection in Wavlink NU516U1 240425 via the wzdapMesh function in /cgi-bin/adm.cgi allows authenticate
Remote OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary
OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary system
Remote authenticated command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated attackers to execute arbitr
OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary command
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28920