PT-2025-39441 · Wavlink · Wavlink Nu516U1 M16U1 V240425

Panda_0X1

Published

2025-09-11

Updated

2025-09-26

CVE-2025-10963

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Wavlink NU516U1 M16U1 V240425

Description A security flaw exists in the Wavlink NU516U1 M16U1 V240425. The issue is due to command injection in the /cgi-bin/firewall.cgi file, specifically within the sub 4016F0 function. Manipulation of the del flag argument can lead to remote code execution. The exploit for this issue has been publicly released.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Command Injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-74

Related Identifiers

BDU:2025-16416

CVE-2025-10963

Affected Products

Wavlink Nu516U1 M16U1 V240425

PT-2025-39441 · Wavlink · Wavlink Nu516U1 M16U1 V240425

CVE-2025-10963

Weakness Enumeration

Related Identifiers

Affected Products

References · 11