CVE-2026-3704
Remote Command Injection in Wavlink NU516U1 Firewall CGI
Publication date: 2026-03-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wavlink | wl-nu516u1_firmware | 251208 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3704 is a remote command injection vulnerability found in the Wavlink NU516U1 router firmware version 251208, specifically in the /cgi-bin/firewall.cgi component.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from an incomplete fix of a previous issue (CVE-2025-10959). The vendor introduced a filtering function (sub_405B2C) to block dangerous shell characters like |, &, and $, but critically omitted the semicolon (;) character, which is used as a command separator in shell commands.'}, {'type': 'paragraph', 'content': "An authenticated remote attacker can exploit this omission by injecting a semicolon into the 'dmz_flag' or 'del_flag' parameter, bypassing the filter and allowing arbitrary shell commands to be executed with root privileges on the device."}, {'type': 'paragraph', 'content': 'The exploit requires authentication and involves sending crafted requests to the firewall.cgi script, enabling remote command execution due to improper input sanitization and unsafe command construction.'}] [2, 3, 4]
How can this vulnerability impact me? :
This vulnerability allows an authenticated remote attacker to execute arbitrary commands on the affected device with root privileges.
Such command injection can compromise the confidentiality, integrity, and availability of the device, potentially allowing the attacker to take full control, disrupt network operations, or use the device as a foothold for further attacks.
Because the exploit is remotely accessible and requires only authentication, it poses a significant security risk to users of the affected Wavlink NU516U1 router firmware version 251208.
Users are strongly advised to upgrade to the fixed firmware version released by the vendor to mitigate this risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for unauthorized or suspicious command injection attempts targeting the /cgi-bin/firewall.cgi endpoint, specifically involving the dmz_flag or del_flag parameters.'}, {'type': 'paragraph', 'content': 'Since exploitation requires authentication and involves injecting semicolon-separated commands, monitoring HTTP POST requests to /cgi-bin/firewall.cgi with parameters such as firewall=DMZ, DMZEnabled=0, and suspicious dmz_flag or del_flag values containing semicolons (;) can help identify attempts.'}, {'type': 'paragraph', 'content': "A suggested detection approach is to capture and analyze web requests to the router's firewall CGI interface for unusual parameter values containing semicolons or other shell metacharacters that bypass the flawed filter."}, {'type': 'paragraph', 'content': 'Example commands to detect suspicious activity might include using network traffic capture tools like tcpdump or Wireshark to filter HTTP POST requests to /cgi-bin/firewall.cgi, for example:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/firewall.cgi'"}, {'type': 'list_item', 'content': "grep -r 'dmz_flag=.*;' /var/log/httpd/access.log"}, {'type': 'paragraph', 'content': 'Additionally, reviewing authentication logs and web server logs for POST requests containing semicolons in the dmz_flag or del_flag parameters can help detect exploitation attempts.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and recommended mitigation step is to upgrade the affected Wavlink NU516U1 router firmware to the fixed version released by the vendor.'}, {'type': 'paragraph', 'content': "Since the vulnerability arises from an incomplete patch in firmware version V251208, applying the vendor's updated firmware that properly addresses the command injection issue will prevent exploitation."}, {'type': 'paragraph', 'content': "Until the upgrade can be applied, restrict access to the router's management interface to trusted networks and users only, and monitor for suspicious activity targeting the /cgi-bin/firewall.cgi endpoint."}, {'type': 'paragraph', 'content': 'Avoid using or exposing the vulnerable DMZ or port forwarding features that involve the affected parameters.'}, {'type': 'paragraph', 'content': "Consult the vendor's official firmware download site to obtain the fixed firmware version."}] [2, 4, 1]