PT-2026-39404 · Wavlink · Nu516U1

Ziyue Xie

·

Published

2026-05-09

·

Updated

2026-05-09

·

CVE-2026-8192

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Wavlink NU516U1 M16U1 V240425
Description A remote OS command injection flaw exists in the wzdap() function within the '/cgi-bin/adm.cgi' endpoint. The issue occurs because the EncrypType and wl Pass arguments are passed directly to the system without proper validation, allowing an attacker to execute arbitrary operating system commands.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the '/cgi-bin/adm.cgi' endpoint or avoid using the EncrypType and wl Pass parameters until a patch is available.

Exploit

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8192

Affected Products

Nu516U1