CVE-2026-3661
Remote Command Injection in Wavlink WL-NU516U1 OTA Upgrade
Publication date: 2026-03-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wavlink | wl-nu516u1_firmware | m16u1_v240425 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3661 is a command injection vulnerability found in the WAVLINK WL-NU516U1-A USB Printer Server, specifically in its firmware version M16U1_V240425.
The flaw exists in the function ota_new_upgrade within the /cgi-bin/adm.cgi file, where improper handling of the model argument allows an attacker to inject arbitrary commands.
By manipulating parameters such as model and brand in a crafted HTTP POST request, an attacker can execute unauthorized commands remotely on the device.
This vulnerability can lead to full compromise of the device by allowing arbitrary command execution.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows remote attackers to execute arbitrary commands on the affected device, potentially leading to full compromise.'}, {'type': 'paragraph', 'content': 'The impact includes loss of confidentiality, integrity, and availability of the device.'}, {'type': 'paragraph', 'content': "An attacker could manipulate the device's functions, disrupt its normal operation, or use it as a foothold for further attacks within a network."}] [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by sending crafted HTTP POST requests to the device's /cgi-bin/adm.cgi endpoint with specific parameters that attempt command injection."}, {'type': 'paragraph', 'content': 'For example, a test command could be constructed to check if arbitrary commands can be executed by injecting a harmless command such as creating a file on the device.'}, {'type': 'list_item', 'content': 'Send a POST request to /cgi-bin/adm.cgi with parameters: page=ota_new_upgrade, brand=admin, and model=1";touch /tmp/1.txt;#"'}, {'type': 'paragraph', 'content': 'If the file /tmp/1.txt is created on the device, it indicates the vulnerability is present and command injection is possible.'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable device, especially limiting remote access to the /cgi-bin/adm.cgi interface.
Since no known countermeasures or patches have been published by the vendor, it is recommended to replace the affected product to avoid exploitation.
Additionally, monitor network traffic for suspicious HTTP POST requests targeting the adm.cgi script with unusual parameters.