PT-2026-39456 · Wavlink · Nu516U1

Ziyue Xie

·

Published

2026-05-10

·

Updated

2026-05-10

·

CVE-2026-8230

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Wavlink NU516U1 version 240425
Description A flaw in the sys login1() function within the '/cgi-bin/login.cgi' endpoint allows for remote OS command injection. This occurs through the manipulation of the ipaddr argument, which could lead to full system compromise. This issue is under active exploitation.
Recommendations Update Wavlink NU516U1 version 240425 to the latest patched version. As a temporary workaround, restrict access to the '/cgi-bin/login.cgi' endpoint to minimize the risk of exploitation.

Exploit

Fix

Command Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8230

Affected Products

Nu516U1