CVE-2026-3662
Received Received - Intake
Remote Command Injection in Wavlink WL-NU516U1 usb_p

Publication date: 2026-03-07

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Wavlink WL-NU516U1 240425. This vulnerability affects the function usb_p910 of the file /cgi-bin/adm.cgi. Such manipulation of the argument Pr_mode leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3662
EUVD
EUVD-2026-10142
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wavlink wl-nu516u1_firmware m16u1_v240425
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3662 is a command injection vulnerability found in the WAVLINK WL-NU516U1 USB Printer Server, specifically in the firmware version 240425. The flaw exists in the adm.cgi module, particularly when the HTTP request parameter "page" is set to "usb_p910." By manipulating the argument "Pr_mode" with crafted input, an attacker can inject and execute arbitrary commands on the device.'}, {'type': 'paragraph', 'content': 'This happens because the device constructs commands using functions like sprintf without proper input validation or sanitization, allowing special characters in the input to alter the command execution flow.'}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely and does not require user interaction, although it requires a higher privilege level (authentication). A proof-of-concept exploit has been publicly disclosed.'}] [1, 2, 3]

Impact Analysis

This vulnerability allows an attacker to remotely execute arbitrary commands on the affected device, potentially leading to full system compromise.

  • Confidentiality impact: Attackers may access sensitive information stored or processed by the device.
  • Integrity impact: Attackers can alter device configurations or data.
  • Availability impact: Attackers might disrupt device operations or cause denial of service.

Because the exploit is easy to perform and publicly available, the risk of exploitation is significant, especially if the device is exposed to untrusted networks.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by sending a crafted HTTP POST request to the device's /cgi-bin/adm.cgi endpoint with the parameter page=usb_p910 and manipulating the Pr_mode argument to test for command injection."}, {'type': 'paragraph', 'content': 'For example, a test command could be a POST request with Pr_mode set to a value like: 1";echo 1 >/tmp/1.txt;# which attempts to inject a shell command that writes a file on the device.'}, {'type': 'paragraph', 'content': 'If the file /tmp/1.txt is created on the device, it indicates the vulnerability is present and command injection is possible.'}, {'type': 'paragraph', 'content': "This detection requires access to the device's HTTP interface and the ability to send POST requests."}] [1, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the vulnerable device's web interface to trusted networks only, as the attack requires remote HTTP access."}, {'type': 'paragraph', 'content': 'Since no known countermeasures or patches have been published by the vendor, it is recommended to replace the affected product to prevent exploitation.'}, {'type': 'paragraph', 'content': 'Additionally, monitor network traffic for suspicious POST requests targeting /cgi-bin/adm.cgi with the page=usb_p910 parameter.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3662. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart