Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A flaw has been found in Wavlink NU516U1 240425. The impacted element is the function sys_login1 of the file /cgi-bin/login.cgi. Executing a manipulation of the argument ipaddr can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure.
AnalysisAI
OS command injection in Wavlink NU516U1 240425 via the ipaddr parameter in /cgi-bin/login.cgi allows authenticated remote attackers to execute arbitrary system commands with limited impact (confidentiality, integrity, availability). The vulnerability requires valid credentials (PR:L) but can be exploited over the network without user interaction. Publicly available exploit code exists, and the vendor was notified during coordinated disclosure.
Technical ContextAI
The vulnerability exists in the sys_login1 function within the login.cgi CGI script, a common web interface component in network devices. The ipaddr parameter is passed to an OS command execution context without proper input sanitization or escaping, enabling command injection via shell metacharacters. This is a classic CWE-78 (Improper Neutralization of Special Elements used in an OS Command) flaw where user-controlled input reaches shell command execution APIs. The affected device is a wireless router/access point (NU516U1 model), suggesting the vulnerability resides in the device's embedded web management interface.
RemediationAI
The vendor was contacted during coordinated disclosure but no patch version has been publicly released according to available data. Immediate mitigations include: (1) Restrict network access to the device's web management interface (TCP port typically 80/443) using a firewall rule permitting only trusted IP ranges or administrative subnets; (2) Change default credentials (if applied) and enforce strong, unique passwords for device management accounts; (3) Disable remote administration or web management access if not required, using device settings or network segmentation; (4) Monitor for suspicious login attempts and command execution patterns via device logs. Contact Wavlink support to obtain a patched firmware version if available. Until a vendor patch is available, network isolation is the most effective compensating control.
Remote command injection in Wavlink NU516U1 240425 allows authenticated attackers to execute arbitrary OS commands via m
OS command injection in Wavlink NU516U1 240425 wireless configuration module allows authenticated remote attackers to ex
Remote OS command injection in Wavlink NU516U1 240425 via the wzdapMesh function in /cgi-bin/adm.cgi allows authenticate
Wavlink NU516U1 M16U1_V240425 is vulnerable to remote OS command injection through the wzdap function in /cgi-bin/adm.cg
Remote OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary
OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary system
Remote authenticated command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated attackers to execute arbitr
OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary command
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28978
GHSA-qv2r-5x2x-f9xv