CVE-2026-3661
Received Received - Intake
Remote Command Injection in Wavlink WL-NU516U1 OTA Upgrade

Publication date: 2026-03-07

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in Wavlink WL-NU516U1 240425. This affects the function ota_new_upgrade of the file /cgi-bin/adm.cgi. This manipulation of the argument model causes command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3661
EUVD
EUVD-2026-10141
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wavlink wl-nu516u1_firmware m16u1_v240425
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3661 is a command injection vulnerability found in the WAVLINK WL-NU516U1-A USB Printer Server, specifically in its firmware version M16U1_V240425.

The flaw exists in the function ota_new_upgrade within the /cgi-bin/adm.cgi file, where improper handling of the model argument allows an attacker to inject arbitrary commands.

By manipulating parameters such as model and brand in a crafted HTTP POST request, an attacker can execute unauthorized commands remotely on the device.

This vulnerability can lead to full compromise of the device by allowing arbitrary command execution.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows remote attackers to execute arbitrary commands on the affected device, potentially leading to full compromise.'}, {'type': 'paragraph', 'content': 'The impact includes loss of confidentiality, integrity, and availability of the device.'}, {'type': 'paragraph', 'content': "An attacker could manipulate the device's functions, disrupt its normal operation, or use it as a foothold for further attacks within a network."}] [1, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by sending crafted HTTP POST requests to the device's /cgi-bin/adm.cgi endpoint with specific parameters that attempt command injection."}, {'type': 'paragraph', 'content': 'For example, a test command could be constructed to check if arbitrary commands can be executed by injecting a harmless command such as creating a file on the device.'}, {'type': 'list_item', 'content': 'Send a POST request to /cgi-bin/adm.cgi with parameters: page=ota_new_upgrade, brand=admin, and model=1";touch /tmp/1.txt;#"'}, {'type': 'paragraph', 'content': 'If the file /tmp/1.txt is created on the device, it indicates the vulnerability is present and command injection is possible.'}] [1, 2, 3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable device, especially limiting remote access to the /cgi-bin/adm.cgi interface.

Since no known countermeasures or patches have been published by the vendor, it is recommended to replace the affected product to avoid exploitation.

Additionally, monitor network traffic for suspicious HTTP POST requests targeting the adm.cgi script with unusual parameters.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3661. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart