CVE-2026-8191
OS Command Injection in Wavlink NU516U1 Router
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wavlink | nu516u1 | v240425 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-8191 is a Remote Command Execution (RCE) vulnerability found in the wifi_region interface of Wavlink NU516U1 devices. The vulnerability occurs because the parameters skiplist1 and skiplist2 are passed directly to the system without proper sanitization, allowing an attacker to inject malicious operating system commands.
An attacker can exploit this by sending a crafted POST request to the /cgi-bin/adm.cgi endpoint with specific parameters, including a malicious skiplist1 value. For example, the attacker can execute commands like starting a telnet server on the device, thereby gaining remote shell access.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary commands on the affected device remotely without user interaction. Successful exploitation can lead to full remote shell access, enabling the attacker to control the device, manipulate its settings, intercept or redirect network traffic, or use the device as a foothold for further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /cgi-bin/adm.cgi with the parameter page=wifi_region and unusual values in the skiplist1 or skiplist2 parameters.
A specific indicator of compromise is the presence of commands like 'telnetd -l /bin/sh -p 8891' in the skiplist1 parameter, which is used in the known exploit.
You can use network monitoring tools or web server logs to search for such POST requests.
- Use grep or similar tools on web server logs to find suspicious requests: grep 'POST /cgi-bin/adm.cgi' /var/log/httpd/access_log | grep 'page=wifi_region'
- Look for suspicious parameter values in captured traffic or logs: grep -E 'skiplist1=.*telnetd' /var/log/httpd/access_log
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable /cgi-bin/adm.cgi endpoint, especially the wifi_region function.
Implement input validation or filtering to prevent command injection via the skiplist1 and skiplist2 parameters.
If possible, update the device firmware to a version where this vulnerability is patched.
As a temporary measure, monitor and block suspicious POST requests targeting /cgi-bin/adm.cgi with malicious parameters.