CVE-2026-2615
Received Received - Intake
Remote Command Injection in Wavlink WL-NU516U1 Firewall CGI

Publication date: 2026-02-17

Last updated on: 2026-02-18

Assigner: VulDB

Description
A flaw has been found in Wavlink WL-NU516U1 up to 20251208. The affected element is the function singlePortForwardDelete of the file /cgi-bin/firewall.cgi. Executing a manipulation of the argument del_flag can lead to command injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-17
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-17
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2615
EUVD
EUVD-2026-7662
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wavlink wl-nu516u1_firmware to 2025-12-08 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2615 is a critical command injection vulnerability found in the Wavlink WL-NU516U1 router firmware up to version 20251208. The flaw exists in the function singlePortForwardDelete within the file /cgi-bin/firewall.cgi. It arises from improper handling of the argument del_flag, which can be manipulated with crafted input to inject arbitrary commands.

The vulnerability occurs because the filter intended to prevent command injection fails to block the semicolon character, which is a command delimiter in shell commands. An authenticated remote attacker can exploit this by injecting a semicolon into the del_flag parameter, bypassing input validation and executing arbitrary shell commands with root privileges.

This allows the attacker to gain full control over the device remotely. The vulnerability corresponds to CWE-77, indicating that externally influenced input is used to construct system commands without proper neutralization of special characters.

Impact Analysis

This vulnerability can severely impact the confidentiality, integrity, and availability of the affected device. An attacker who successfully exploits this flaw can execute arbitrary commands with root privileges, effectively gaining full control over the router.

Such control can allow the attacker to manipulate network traffic, intercept sensitive data, disrupt network services, or use the device as a foothold for further attacks within the network.

The attack can be launched remotely by an authenticated user and is considered easy to perform due to the flawed input validation.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves command injection via the del_flag parameter in the singlePortForwardDelete function of the /cgi-bin/firewall.cgi on Wavlink WL-NU516U1 devices. Detection can focus on monitoring for unusual or unauthorized HTTP requests targeting /cgi-bin/firewall.cgi with suspicious del_flag parameter values containing command delimiters such as semicolons (;).'}, {'type': 'paragraph', 'content': 'You can detect exploitation attempts by capturing and inspecting network traffic for HTTP POST or GET requests to /cgi-bin/firewall.cgi that include the del_flag parameter with suspicious characters or payloads.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include:'}, {'type': 'list_item', 'content': 'Using tcpdump or tshark to capture HTTP traffic to the device and filter for requests containing del_flag:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip dst <device_ip>) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x64656c5f)) or (tcp[((tcp[12:1] & 0xf0) >> 2):8] = 0x64656c5f6c6167))'"}, {'type': 'list_item', 'content': 'Using grep on web server logs or captured HTTP requests to find del_flag parameters with semicolons or other suspicious characters:'}, {'type': 'list_item', 'content': "grep -E 'del_flag=.*;' /path/to/access.log"}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authentication, monitoring for unusual authenticated sessions or commands executed remotely may also help in detection.'}] [1, 3]

Mitigation Strategies

Currently, no vendor response or official patch is available for this vulnerability in the Wavlink WL-NU516U1 firmware up to version 20251208.

Immediate mitigation steps include:

  • Restrict remote access to the affected device, especially to the /cgi-bin/firewall.cgi endpoint, to trusted networks or IP addresses only.
  • Disable or limit port forwarding features if not required, as the vulnerability is in the port forward delete function.
  • Monitor device logs and network traffic for suspicious activity targeting the del_flag parameter.
  • Consider replacing the affected device with a more secure alternative, as no known countermeasures or patches exist.

Applying strict authentication and network segmentation can reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2615. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart