PT-2026-39404 · Wavlink · Nu516U1
Ziyue Xie
·
Published
2026-05-09
·
Updated
2026-05-09
·
CVE-2026-8192
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Wavlink NU516U1 M16U1 V240425
Description
A remote OS command injection flaw exists in the
wzdap() function within the '/cgi-bin/adm.cgi' endpoint. The issue occurs because the EncrypType and wl Pass arguments are passed directly to the system without proper validation, allowing an attacker to execute arbitrary operating system commands.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
As a temporary workaround, restrict access to the '/cgi-bin/adm.cgi' endpoint or avoid using the
EncrypType and wl Pass parameters until a patch is available.Exploit
OS Command Injection
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nu516U1