CVE-2026-3703
Received Received - Intake
Out-of-Bounds Write in Wavlink NU516U1 Remote Login CGI

Publication date: 2026-03-08

Last updated on: 2026-03-10

Assigner: VulDB

Description
A flaw has been found in Wavlink NU516U1 251208. This affects the function sub_401A10 of the file /cgi-bin/login.cgi. Executing a manipulation of the argument ipaddr can lead to out-of-bounds write. The attack may be performed from remote. The exploit has been published and may be used. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-08
Last Modified
2026-03-10
Generated
2026-05-07
AI Q&A
2026-03-08
EPSS Evaluated
2026-05-05
NVD
CVE-2026-3703
EUVD
EUVD-2026-10211
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wavlink wl-nu516u1_firmware 251208
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-3703 is a critical stack-based buffer overflow vulnerability found in the Wavlink NU516U1 firmware version V251208, specifically in the function sub_401A10 within the /cgi-bin/login.cgi component.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper handling of the "ipaddr" parameter, which is user-controlled input. The function uses a fixed-size 128-byte stack buffer to store a formatted command string. However, the input length is not properly validated before being concatenated into this buffer using sprintf, which does not check bounds.'}, {'type': 'paragraph', 'content': 'If the ipaddr parameter exceeds approximately 106 bytes, sprintf causes a stack buffer overflow, overwriting adjacent local variables and the function’s return address. This can lead to a segmentation fault, crashing the CGI process and causing Denial of Service (DoS). Under certain conditions, this overflow could be exploited for Remote Code Execution (RCE).'}, {'type': 'paragraph', 'content': 'Exploitation requires knowledge of the MD5 hash of the administrator password and a valid session cookie to send crafted POST requests with an overly long ipaddr parameter composed of allowed characters.'}] [1, 2, 3]


How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': "This vulnerability can impact you by allowing an attacker to remotely crash the affected device's login CGI process, causing Denial of Service (DoS), which disrupts normal operation."}, {'type': 'paragraph', 'content': 'More severely, under specific conditions, the vulnerability could be exploited to achieve Remote Code Execution (RCE), allowing an attacker to execute arbitrary code on the device remotely.'}, {'type': 'paragraph', 'content': 'Exploitation does not require physical access but does require a valid session cookie and knowledge of the administrator password hash, making it a significant security risk if these prerequisites are met.'}] [1, 2, 3]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': "This vulnerability can be detected by sending a POST request to the /cgi-bin/login.cgi endpoint with the ipaddr parameter set to a string longer than approximately 106 bytes composed of allowed characters (e.g., repeated 'A's)."}, {'type': 'paragraph', 'content': 'If the server responds with an HTTP 500 Internal Server Error, it indicates a crash caused by the stack buffer overflow, confirming the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'A normal-length ipaddr input returns HTTP 200 OK, so comparing responses can help detect the issue.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability (replace <session_cookie> and <admin_password_md5> accordingly):'}, {'type': 'list_item', 'content': 'curl -X POST https://<target-ip>/cgi-bin/login.cgi -H "Cookie: <session_cookie>" -d "password=<admin_password_md5>&ipaddr=$(python3 -c \'print("A"*110)\')" -v'}, {'type': 'paragraph', 'content': 'A response with HTTP 500 indicates the vulnerability is present due to the buffer overflow crash.'}] [1, 2]


What immediate steps should I take to mitigate this vulnerability?

The primary and recommended mitigation step is to upgrade the Wavlink NU516U1 device firmware to the fixed version released by the vendor.

Until the upgrade can be applied, restrict access to the /cgi-bin/login.cgi endpoint to trusted users only, as exploitation requires a valid session cookie and knowledge of the administrator password hash.

Monitor network traffic for suspicious POST requests with unusually long ipaddr parameters and consider implementing web application firewall (WAF) rules to block such requests.

Change the administrator password to a strong, unique value to reduce the risk of attackers obtaining the required MD5 hash.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart