CVE-2026-8190
Undergoing Analysis Undergoing Analysis - In Progress
Command Injection in Wavlink NU516U1 Router

Publication date: 2026-05-09

Last updated on: 2026-05-11

Assigner: VulDB

Description
A vulnerability was determined in Wavlink NU516U1 M16U1_V240425. Affected by this issue is the function wan of the file /cgi-bin/adm.cgi. This manipulation of the argument ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway is directly passed by the attacker/so we can control the ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway causes os command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-8190
EUVD
EUVD-2026-28918
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wavlink nu516u1 m16u1_v240425
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8190 is a Remote Command Execution (RCE) vulnerability in the Wavlink NU516U1 device's WAN interface. It occurs because certain parametersβ€”ppp_username, ppp_passwd, rwan_ip, rwan_mask, and rwan_gatewayβ€”are taken directly from user input and passed without proper sanitization to the system. This allows an attacker to inject malicious operating system commands through these parameters.

For example, an attacker could set the ppp_username parameter to a command like $(telnetd -l /bin/sh -p 8890), which would start a telnet server on the device, granting shell access. The attack is performed by sending a crafted HTTP POST request to the /cgi-bin/adm.cgi endpoint with the malicious payload.

Successful exploitation gives the attacker full control over the affected device.

Impact Analysis

This vulnerability allows an attacker to remotely execute arbitrary commands on the affected device, potentially gaining full control over it.

  • Unauthorized access to device settings and data.
  • Ability to install malicious software or backdoors.
  • Disruption of network services or device functionality.
  • Potential pivot point for further attacks within the network.
Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the endpoint /cgi-bin/adm.cgi, especially those containing unusual or command injection payloads in the parameters ppp_username, ppp_passwd, rwan_ip, rwan_mask, or rwan_gateway.

A practical detection method is to capture and analyze network traffic for POST requests with these parameters containing shell commands or suspicious strings such as $(telnetd -l /bin/sh -p 8890).

For example, using command-line tools like curl or tcpdump can help detect exploitation attempts.

  • Use tcpdump to capture HTTP POST requests to /cgi-bin/adm.cgi: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/adm.cgi'
  • Use curl to test for command injection by sending a crafted POST request: curl -X POST http://<target-ip>/cgi-bin/adm.cgi -d 'ppp_username=$(id)&ppp_passwd=test&rwan_ip=1.1.1.1&rwan_mask=255.255.255.0&rwan_gateway=1.1.1.254'

If the response or device behavior indicates execution of injected commands, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable /cgi-bin/adm.cgi endpoint to trusted networks only, such as internal management networks.

Disable remote WAN management if it is enabled to prevent attackers from reaching the vulnerable interface.

Monitor network traffic for suspicious POST requests targeting the vulnerable parameters and block or alert on such attempts.

Apply any available firmware updates or patches provided by the vendor addressing this vulnerability.

If no patch is available, consider isolating the device from untrusted networks until a fix is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8190. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart