CVE-2026-2565
Stack-Based Buffer Overflow in Wavlink WL-NU516U1 Remote CGI
Publication date: 2026-02-16
Last updated on: 2026-02-18
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wavlink | wl-nu516u1_firmware | to 2025-12-08 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2565 is a stack-based buffer overflow vulnerability found in the Wavlink WL-NU516U1 device firmware version 20251208. The flaw exists in the function sub_40785C within the file /cgi-bin/adm.cgi and is triggered by manipulating the "time_zone" argument in a POST request.'}, {'type': 'paragraph', 'content': 'Specifically, the vulnerable function allocates a fixed-size 16-byte buffer on the stack to store the time_zone string, but does not validate the length of the input before copying it. If the time_zone string is longer than 15 bytes plus a null terminator, it causes a buffer overflow that overwrites adjacent memory, including saved registers and the return address.'}, {'type': 'paragraph', 'content': "This overflow can allow an attacker to hijack the program's control flow and potentially execute arbitrary code remotely. However, exploitation requires authentication and is considered difficult. The vulnerability affects the device's confidentiality, integrity, and availability."}] [1, 2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can impact you by allowing a remote attacker, who has authenticated access, to exploit the stack-based buffer overflow to hijack the device's control flow."}, {'type': 'paragraph', 'content': 'Successful exploitation could lead to arbitrary code execution on the device, compromising its confidentiality, integrity, and availability.'}, {'type': 'paragraph', 'content': 'This means sensitive data could be exposed or altered, device functions could be disrupted, and the device could be used as a foothold for further attacks within your network.'}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the /cgi-bin/adm.cgi endpoint, specifically those manipulating the time_zone parameter with unusually long input strings exceeding 15 bytes.'}, {'type': 'paragraph', 'content': 'Detection can involve capturing and analyzing HTTP POST traffic targeting the adm.cgi interface on the Wavlink WL-NU516U1 device.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network packet capture tools such as tcpdump or Wireshark to filter for POST requests to /cgi-bin/adm.cgi and inspecting the time_zone parameter length.'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip dst <device_ip>) and (tcp[32:4] = 0x504f5354)))'"}, {'type': 'list_item', 'content': 'Use curl or similar tools to test the endpoint by sending crafted POST requests with varying time_zone parameter lengths to observe device behavior.'}, {'type': 'paragraph', 'content': 'Since exploitation requires authentication, monitoring for failed or suspicious authentication attempts combined with unusual time_zone parameter values can also help in detection.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'There are no official patches or fixes available from the vendor for this vulnerability.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include replacing the affected Wavlink WL-NU516U1 device with an alternative product that is not vulnerable.'}, {'type': 'paragraph', 'content': "Additionally, restrict network access to the device's management interface (/cgi-bin/adm.cgi) to trusted users only, and monitor for suspicious activity."}, {'type': 'paragraph', 'content': 'Ensure strong authentication credentials are used to reduce the risk of exploitation, as the attack requires authentication.'}, {'type': 'paragraph', 'content': 'If possible, disable remote management or restrict it to secure management networks to reduce exposure.'}] [1, 2]