CVE-2026-2567
Remote Stack-Based Buffer Overflow in Wavlink WL-NU516U1 CGI-Bin
Publication date: 2026-02-16
Last updated on: 2026-02-18
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wavlink | wl-nu516u1_firmware | to 2025-12-08 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2567 is a stack-based buffer overflow vulnerability found in the Wavlink WL-NU516U1 device, specifically in the function sub_401218 within the file /cgi-bin/nas.cgi. The vulnerability occurs when the User1Passwd argument is manipulated with crafted input that exceeds the buffer size. This happens because the input is escaped by doubling each character and then concatenated into a fixed-size 128-byte stack buffer without boundary checks, causing an overflow when the input is longer than 64 bytes.'}, {'type': 'paragraph', 'content': "This overflow can overwrite adjacent stack variables and the return address, allowing an attacker to hijack the program's control flow upon function return. Exploitation requires a valid authenticated session and setting a specific parameter (enable_storage_management=1) to reach the vulnerable code path. The attack can be initiated remotely, and a proof-of-concept exploit is publicly available."}] [2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "Exploitation of this vulnerability can compromise the confidentiality, integrity, and availability of the affected device. By triggering the buffer overflow, an attacker can hijack the program's control flow, potentially executing arbitrary code or causing a denial of service."}, {'type': 'paragraph', 'content': "Since the attack can be performed remotely with low complexity (given valid authentication), it poses a significant security risk. The device's system availability and security can be affected, potentially allowing unauthorized remote access or disruption of services."}] [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for attempts to exploit the stack-based buffer overflow in the /cgi-bin/nas.cgi script, specifically targeting the User1Passwd parameter with unusually long input values (greater than 64 bytes) when the enable_storage_management parameter is set to 1.'}, {'type': 'paragraph', 'content': 'Detection can involve checking HTTP requests to the vulnerable device for suspicious payloads in the User1Passwd argument or for authenticated sessions attempting to access /cgi-bin/nas.cgi with enable_storage_management=1.'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., Wireshark, tcpdump) to capture HTTP POST requests to /cgi-bin/nas.cgi and filter for requests containing enable_storage_management=1 and long User1Passwd values.'}, {'type': 'list_item', 'content': 'On the device, if accessible, inspect logs for repeated or malformed requests to /cgi-bin/nas.cgi involving User1Passwd.'}, {'type': 'list_item', 'content': "Example command to capture suspicious HTTP requests with tcpdump: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -E 'User1Passwd=.{65,}|enable_storage_management=1'"}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable device, especially limiting remote access to trusted networks or VPNs, since exploitation requires authentication.
Since no official patch or fix is available, consider disabling the storage management feature if possible or restricting the use of the /cgi-bin/nas.cgi interface.
Monitor for exploit attempts and consider replacing the affected Wavlink WL-NU516U1 device with a non-vulnerable alternative to eliminate risk.
- Restrict network access to the device to prevent unauthorized or remote exploitation.
- Disable or limit use of the storage management feature that triggers the vulnerable code path.
- Monitor device logs and network traffic for suspicious activity targeting the User1Passwd parameter.
- Plan for device replacement or firmware update once a patch becomes available.