CVE-2026-8192
Undergoing Analysis Undergoing Analysis - In Progress
Command Injection in Wavlink NU516U1 Router

Publication date: 2026-05-09

Last updated on: 2026-05-11

Assigner: VulDB

Description
A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425. This vulnerability affects the function wzdap of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument EncrypType/wl_Pass is directly passed by the attacker/so we can control the EncrypType/wl_Pass results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-8192
EUVD
EUVD-2026-28920
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wavlink nu516u1 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability CVE-2026-8192 allows remote code execution on the affected Wavlink device, which can lead to unauthorized access to the device's operating system.

Such unauthorized access could potentially lead to data breaches or unauthorized data manipulation, which may impact compliance with data protection standards and regulations like GDPR or HIPAA.

However, the provided information does not explicitly describe the direct effects on compliance with these standards.

Executive Summary

CVE-2026-8192 is a Remote Command Execution (RCE) vulnerability in the Wavlink NU516U1 device, specifically in the wzdap function of the /cgi-bin/adm.cgi file.

The flaw occurs because the parameters EncrypType and wl_Pass are passed directly to the system without proper sanitization, allowing an attacker to inject malicious operating system commands.

For example, an attacker can set EncrypType to a command like 'telnetd -l /bin/sh -p 8892' to start a telnet server on the device, granting shell access remotely.

The attack is performed via a POST request to /cgi-bin/adm.cgi, enabling remote exploitation without user interaction.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary commands on the affected device remotely.

Successful exploitation can lead to unauthorized access to the device's operating system, potentially allowing the attacker to control the device, steal data, or use it as a foothold for further attacks within a network.

Because the exploit is publicly available, the risk of attack is increased.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /cgi-bin/adm.cgi that include manipulation of the EncrypType or wl_Pass parameters.

One way to detect exploitation attempts is to look for unusual commands being executed or network activity such as a telnet server running on port 8892, which is used in the proof-of-concept exploit.

  • Use network monitoring tools or intrusion detection systems (IDS) to capture POST requests to /cgi-bin/adm.cgi and inspect the parameters for suspicious values.
  • On the device, check for unexpected processes such as a telnet server running on port 8892: `netstat -an | grep 8892`
  • Check running processes for suspicious commands: `ps aux | grep telnetd`
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable /cgi-bin/adm.cgi endpoint to trusted networks only.

Disable or block remote access to the device's administrative interface if not needed.

Monitor the device for signs of compromise such as unexpected open ports or running processes.

Apply any available patches or updates from the vendor once released.

As a temporary workaround, consider implementing input validation or filtering on the parameters EncrypType and wl_Pass to prevent command injection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8192. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart