Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability has been found in Wavlink NU516U1 M16U1_V240425. Affected is the function change_wifi_password of the file /cgi-bin/adm.cgi. The manipulation of the argument wl_channel/wl_Pass/EncrypType leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.
AnalysisAI
OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary commands via the change_wifi_password function in /cgi-bin/adm.cgi by manipulating the wl_channel, wl_Pass, or EncrypType parameters. Publicly available exploit code exists, and the vendor has been notified of the vulnerability.
Technical ContextAI
The vulnerability exists in the CGI script handler /cgi-bin/adm.cgi, specifically in the change_wifi_password function. The application fails to properly sanitize user-supplied input from the wl_channel, wl_Pass, and EncrypType parameters before passing them to OS command execution routines. This is a classic OS command injection flaw (CWE-78) where unsanitized user input is concatenated into shell commands without proper quoting or escaping, allowing an authenticated attacker to break out of the intended command context and inject arbitrary shell metacharacters and commands. The Wavlink NU516U1 is a wireless mesh networking device, and the vulnerable CGI endpoint is responsible for WiFi configuration operations.
RemediationAI
Update Wavlink NU516U1 to the latest firmware version released by Wavlink after M16U1_V240425. Check Wavlink's official support website or device management interface for available firmware updates. If an update is not yet available, implement network-level compensating controls: restrict administrative access to the device's CGI endpoints (/cgi-bin/adm.cgi) using firewall rules or network segmentation, allowing only trusted management networks or IP addresses to reach the device's web interface on ports 80/443. Change any default administrative credentials immediately and implement strong, unique passwords for all device accounts. Disable remote management of the device if not actively required, as this reduces the network attack surface. Monitor device access logs for suspicious CGI requests to the change_wifi_password function. The public exploit code (available on GitHub) demonstrates the vulnerability with wl_channel, wl_Pass, and EncrypType parameters, so focus compensating controls on limiting who can reach these endpoints.
OS command injection in Wavlink NU516U1 240425 via the ipaddr parameter in /cgi-bin/login.cgi allows authenticated remot
Remote command injection in Wavlink NU516U1 240425 allows authenticated attackers to execute arbitrary OS commands via m
OS command injection in Wavlink NU516U1 240425 wireless configuration module allows authenticated remote attackers to ex
Remote OS command injection in Wavlink NU516U1 240425 via the wzdapMesh function in /cgi-bin/adm.cgi allows authenticate
Wavlink NU516U1 M16U1_V240425 is vulnerable to remote OS command injection through the wzdap function in /cgi-bin/adm.cg
Remote OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary
OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary system
Remote authenticated command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated attackers to execute arbitr
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28915
GHSA-jcpm-gq2p-99p9