CVE-2026-2615
Remote Command Injection in Wavlink WL-NU516U1 Firewall CGI
Publication date: 2026-02-17
Last updated on: 2026-02-18
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wavlink | wl-nu516u1_firmware | to 2025-12-08 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2615 is a critical command injection vulnerability found in the Wavlink WL-NU516U1 router firmware up to version 20251208. The flaw exists in the function singlePortForwardDelete within the file /cgi-bin/firewall.cgi. It arises from improper handling of the argument del_flag, which can be manipulated with crafted input to inject arbitrary commands.
The vulnerability occurs because the filter intended to prevent command injection fails to block the semicolon character, which is a command delimiter in shell commands. An authenticated remote attacker can exploit this by injecting a semicolon into the del_flag parameter, bypassing input validation and executing arbitrary shell commands with root privileges.
This allows the attacker to gain full control over the device remotely. The vulnerability corresponds to CWE-77, indicating that externally influenced input is used to construct system commands without proper neutralization of special characters.
How can this vulnerability impact me? :
This vulnerability can severely impact the confidentiality, integrity, and availability of the affected device. An attacker who successfully exploits this flaw can execute arbitrary commands with root privileges, effectively gaining full control over the router.
Such control can allow the attacker to manipulate network traffic, intercept sensitive data, disrupt network services, or use the device as a foothold for further attacks within the network.
The attack can be launched remotely by an authenticated user and is considered easy to perform due to the flawed input validation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves command injection via the del_flag parameter in the singlePortForwardDelete function of the /cgi-bin/firewall.cgi on Wavlink WL-NU516U1 devices. Detection can focus on monitoring for unusual or unauthorized HTTP requests targeting /cgi-bin/firewall.cgi with suspicious del_flag parameter values containing command delimiters such as semicolons (;).'}, {'type': 'paragraph', 'content': 'You can detect exploitation attempts by capturing and inspecting network traffic for HTTP POST or GET requests to /cgi-bin/firewall.cgi that include the del_flag parameter with suspicious characters or payloads.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include:'}, {'type': 'list_item', 'content': 'Using tcpdump or tshark to capture HTTP traffic to the device and filter for requests containing del_flag:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip dst <device_ip>) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x64656c5f)) or (tcp[((tcp[12:1] & 0xf0) >> 2):8] = 0x64656c5f6c6167))'"}, {'type': 'list_item', 'content': 'Using grep on web server logs or captured HTTP requests to find del_flag parameters with semicolons or other suspicious characters:'}, {'type': 'list_item', 'content': "grep -E 'del_flag=.*;' /path/to/access.log"}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authentication, monitoring for unusual authenticated sessions or commands executed remotely may also help in detection.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Currently, no vendor response or official patch is available for this vulnerability in the Wavlink WL-NU516U1 firmware up to version 20251208.
Immediate mitigation steps include:
- Restrict remote access to the affected device, especially to the /cgi-bin/firewall.cgi endpoint, to trusted networks or IP addresses only.
- Disable or limit port forwarding features if not required, as the vulnerability is in the port forward delete function.
- Monitor device logs and network traffic for suspicious activity targeting the del_flag parameter.
- Consider replacing the affected device with a more secure alternative, as no known countermeasures or patches exist.
Applying strict authentication and network segmentation can reduce the risk of exploitation.