CVE-2026-8190
Command Injection in Wavlink NU516U1 Router
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wavlink | nu516u1 | m16u1_v240425 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8190 is a Remote Command Execution (RCE) vulnerability in the Wavlink NU516U1 device's WAN interface. It occurs because certain parametersβppp_username, ppp_passwd, rwan_ip, rwan_mask, and rwan_gatewayβare taken directly from user input and passed without proper sanitization to the system. This allows an attacker to inject malicious operating system commands through these parameters.
For example, an attacker could set the ppp_username parameter to a command like $(telnetd -l /bin/sh -p 8890), which would start a telnet server on the device, granting shell access. The attack is performed by sending a crafted HTTP POST request to the /cgi-bin/adm.cgi endpoint with the malicious payload.
Successful exploitation gives the attacker full control over the affected device.
How can this vulnerability impact me? :
This vulnerability allows an attacker to remotely execute arbitrary commands on the affected device, potentially gaining full control over it.
- Unauthorized access to device settings and data.
- Ability to install malicious software or backdoors.
- Disruption of network services or device functionality.
- Potential pivot point for further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the endpoint /cgi-bin/adm.cgi, especially those containing unusual or command injection payloads in the parameters ppp_username, ppp_passwd, rwan_ip, rwan_mask, or rwan_gateway.
A practical detection method is to capture and analyze network traffic for POST requests with these parameters containing shell commands or suspicious strings such as $(telnetd -l /bin/sh -p 8890).
For example, using command-line tools like curl or tcpdump can help detect exploitation attempts.
- Use tcpdump to capture HTTP POST requests to /cgi-bin/adm.cgi: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/adm.cgi'
- Use curl to test for command injection by sending a crafted POST request: curl -X POST http://<target-ip>/cgi-bin/adm.cgi -d 'ppp_username=$(id)&ppp_passwd=test&rwan_ip=1.1.1.1&rwan_mask=255.255.255.0&rwan_gateway=1.1.1.254'
If the response or device behavior indicates execution of injected commands, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable /cgi-bin/adm.cgi endpoint to trusted networks only, such as internal management networks.
Disable remote WAN management if it is enabled to prevent attackers from reaching the vulnerable interface.
Monitor network traffic for suspicious POST requests targeting the vulnerable parameters and block or alert on such attempts.
Apply any available firmware updates or patches provided by the vendor addressing this vulnerability.
If no patch is available, consider isolating the device from untrusted networks until a fix is applied.