Skip to main content

Wavlink NU516U1 CVE-2026-8192

| EUVDEUVD-2026-28920 LOW
OS Command Injection (CWE-78)
2026-05-09 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 09, 2026 - 19:22 NVD
MEDIUM LOW
CVSS changed
May 09, 2026 - 19:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 09, 2026 - 19:15 vuln.today
CVE Published
May 09, 2026 - 18:30 nvd
MEDIUM 6.3

DescriptionCVE.org

A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425. This vulnerability affects the function wzdap of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument EncrypType/wl_Pass is directly passed by the attacker/so we can control the EncrypType/wl_Pass results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.

AnalysisAI

Wavlink NU516U1 M16U1_V240425 is vulnerable to remote OS command injection through the wzdap function in /cgi-bin/adm.cgi, where the EncrypType and wl_Pass parameters are passed unsanitized to system commands. An authenticated remote attacker can manipulate these arguments to execute arbitrary commands with the privileges of the web server process. Exploit code is publicly available (CVSS 6.3, EPSS probability indicated by E:P vector).

Technical ContextAI

The vulnerability stems from CWE-78 (OS Command Injection), where user-supplied input from the EncrypType and wl_Pass CGI parameters in the adm.cgi script are directly concatenated into shell command execution without proper sanitization or parameterization. The wzdap function processes these parameters as part of network configuration commands, allowing attackers to break out of the intended command context and inject arbitrary shell metacharacters (pipes, semicolons, command substitution) to execute unintended system commands. This is a classic command injection flaw common in legacy embedded device management interfaces that construct system commands via string concatenation rather than using safe APIs.

RemediationAI

Contact Wavlink support immediately for a patched firmware version addressing this command injection vulnerability. If a security update is available for the NU516U1, upgrade to the latest firmware release from Wavlink. Interim compensating controls: (1) Restrict access to the web management interface (/cgi-bin/adm.cgi) using network firewall rules to limit connectivity to trusted administrative networks or VPNs only-this significantly reduces the attack surface since PR:L authentication is required; (2) Change default web interface credentials and enforce strong, unique passwords if the device ships with defaults; (3) Disable remote management if not operationally required, disabling the HTTP/HTTPS management port. Trade-offs: network access restrictions may complicate legitimate administration, and disabling remote management eliminates out-of-office device management capability. Monitor vendor advisory pages at https://vuldb.com/vuln/362344 for patch availability confirmation.

Share

CVE-2026-8192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy