PT-2026-39337 · Wavlink · Nu516U1

Ziyue Xie

·

Published

2026-05-09

·

Updated

2026-05-09

·

CVE-2026-8189

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Wavlink NU516U1 M16U1 V240425
Description An OS command injection flaw exists in the wzdrepeater() function within the '/cgi-bin/adm.cgi' endpoint. This issue allows a remote attacker to execute arbitrary operating system commands by manipulating the wlan bssid, sel Automode, or sel EncrypTyp arguments.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the '/cgi-bin/adm.cgi' endpoint or avoid using the wlan bssid, sel Automode, and sel EncrypTyp parameters.

Exploit

Command Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8189

Affected Products

Nu516U1