Skip to main content

Wavlink NU516U1 EUVDEUVD-2026-28915

| CVE-2026-8188 LOW
OS Command Injection (CWE-78)
2026-05-09 VulDB GHSA-jcpm-gq2p-99p9
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 09, 2026 - 16:22 NVD
MEDIUM LOW
CVSS changed
May 09, 2026 - 16:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 09, 2026 - 16:00 vuln.today
CVE Published
May 09, 2026 - 15:15 nvd
MEDIUM 6.3

DescriptionCVE.org

A vulnerability has been found in Wavlink NU516U1 M16U1_V240425. Affected is the function change_wifi_password of the file /cgi-bin/adm.cgi. The manipulation of the argument wl_channel/wl_Pass/EncrypType leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.

AnalysisAI

OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary commands via the change_wifi_password function in /cgi-bin/adm.cgi by manipulating the wl_channel, wl_Pass, or EncrypType parameters. Publicly available exploit code exists, and the vendor has been notified of the vulnerability.

Technical ContextAI

The vulnerability exists in the CGI script handler /cgi-bin/adm.cgi, specifically in the change_wifi_password function. The application fails to properly sanitize user-supplied input from the wl_channel, wl_Pass, and EncrypType parameters before passing them to OS command execution routines. This is a classic OS command injection flaw (CWE-78) where unsanitized user input is concatenated into shell commands without proper quoting or escaping, allowing an authenticated attacker to break out of the intended command context and inject arbitrary shell metacharacters and commands. The Wavlink NU516U1 is a wireless mesh networking device, and the vulnerable CGI endpoint is responsible for WiFi configuration operations.

RemediationAI

Update Wavlink NU516U1 to the latest firmware version released by Wavlink after M16U1_V240425. Check Wavlink's official support website or device management interface for available firmware updates. If an update is not yet available, implement network-level compensating controls: restrict administrative access to the device's CGI endpoints (/cgi-bin/adm.cgi) using firewall rules or network segmentation, allowing only trusted management networks or IP addresses to reach the device's web interface on ports 80/443. Change any default administrative credentials immediately and implement strong, unique passwords for all device accounts. Disable remote management of the device if not actively required, as this reduces the network attack surface. Monitor device access logs for suspicious CGI requests to the change_wifi_password function. The public exploit code (available on GitHub) demonstrates the vulnerability with wl_channel, wl_Pass, and EncrypType parameters, so focus compensating controls on limiting who can reach these endpoints.

Share

EUVD-2026-28915 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy