PT-2026-39456 · Wavlink · Nu516U1
Ziyue Xie
·
Published
2026-05-10
·
Updated
2026-05-10
·
CVE-2026-8230
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Wavlink NU516U1 version 240425
Description
A flaw in the
sys login1() function within the '/cgi-bin/login.cgi' endpoint allows for remote OS command injection. This occurs through the manipulation of the ipaddr argument, which could lead to full system compromise. This issue is under active exploitation.Recommendations
Update Wavlink NU516U1 version 240425 to the latest patched version.
As a temporary workaround, restrict access to the '/cgi-bin/login.cgi' endpoint to minimize the risk of exploitation.
Exploit
Fix
Command Injection
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nu516U1