CVE-2025-10959

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Wavlink NU516U1 M16U1 V240425

Description A flaw exists that allows for remote command injection. The issue is located in the sub 401778 function within the /cgi-bin/firewall.cgi file. Manipulation of the dmz flag argument can trigger the flaw. The exploit has been publicly disclosed.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Command Injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-74

Related Identifiers

BDU:2025-16413

CVE-2025-10959

Affected Products

M16U1 V240425

Wavlink Nu516U1

CVE-2025-10959

Weakness Enumeration

Related Identifiers

Affected Products

References · 13