CVE-2026-2565
Received Received - Intake
Stack-Based Buffer Overflow in Wavlink WL-NU516U1 Remote CGI

Publication date: 2026-02-16

Last updated on: 2026-02-18

Assigner: VulDB

Description
A weakness has been identified in Wavlink WL-NU516U1 20251208. Affected by this issue is the function sub_40785C of the file /cgi-bin/adm.cgi. This manipulation of the argument time_zone causes stack-based buffer overflow. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2565
EUVD
EUVD-2026-7665
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wavlink wl-nu516u1_firmware to 2025-12-08 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2565 is a stack-based buffer overflow vulnerability found in the Wavlink WL-NU516U1 device firmware version 20251208. The flaw exists in the function sub_40785C within the file /cgi-bin/adm.cgi and is triggered by manipulating the "time_zone" argument in a POST request.'}, {'type': 'paragraph', 'content': 'Specifically, the vulnerable function allocates a fixed-size 16-byte buffer on the stack to store the time_zone string, but does not validate the length of the input before copying it. If the time_zone string is longer than 15 bytes plus a null terminator, it causes a buffer overflow that overwrites adjacent memory, including saved registers and the return address.'}, {'type': 'paragraph', 'content': "This overflow can allow an attacker to hijack the program's control flow and potentially execute arbitrary code remotely. However, exploitation requires authentication and is considered difficult. The vulnerability affects the device's confidentiality, integrity, and availability."}] [1, 2]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can impact you by allowing a remote attacker, who has authenticated access, to exploit the stack-based buffer overflow to hijack the device's control flow."}, {'type': 'paragraph', 'content': 'Successful exploitation could lead to arbitrary code execution on the device, compromising its confidentiality, integrity, and availability.'}, {'type': 'paragraph', 'content': 'This means sensitive data could be exposed or altered, device functions could be disrupted, and the device could be used as a foothold for further attacks within your network.'}] [1, 2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the /cgi-bin/adm.cgi endpoint, specifically those manipulating the time_zone parameter with unusually long input strings exceeding 15 bytes.'}, {'type': 'paragraph', 'content': 'Detection can involve capturing and analyzing HTTP POST traffic targeting the adm.cgi interface on the Wavlink WL-NU516U1 device.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network packet capture tools such as tcpdump or Wireshark to filter for POST requests to /cgi-bin/adm.cgi and inspecting the time_zone parameter length.'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip dst <device_ip>) and (tcp[32:4] = 0x504f5354)))'"}, {'type': 'list_item', 'content': 'Use curl or similar tools to test the endpoint by sending crafted POST requests with varying time_zone parameter lengths to observe device behavior.'}, {'type': 'paragraph', 'content': 'Since exploitation requires authentication, monitoring for failed or suspicious authentication attempts combined with unusual time_zone parameter values can also help in detection.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'There are no official patches or fixes available from the vendor for this vulnerability.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include replacing the affected Wavlink WL-NU516U1 device with an alternative product that is not vulnerable.'}, {'type': 'paragraph', 'content': "Additionally, restrict network access to the device's management interface (/cgi-bin/adm.cgi) to trusted users only, and monitor for suspicious activity."}, {'type': 'paragraph', 'content': 'Ensure strong authentication credentials are used to reduce the risk of exploitation, as the attack requires authentication.'}, {'type': 'paragraph', 'content': 'If possible, disable remote management or restrict it to secure management networks to reduce exposure.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2565. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart