CVE-2026-8228
Undergoing Analysis Undergoing Analysis - In Progress
Command Injection in Wavlink NU516U1 Router

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: VulDB

Description
A security vulnerability has been detected in Wavlink NU516U1 240425. Impacted is the function advance of the file /cgi-bin/wireless.cgi. Such manipulation of the argument wlan_conf/Channel/skiplist/ieee_80211h leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-06-19
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2026-8228
EUVD
EUVD-2026-28976
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wavlink nu516u1 240425
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8228 is a Remote Command Execution (RCE) vulnerability found in Wavlink NU516U1 devices. It occurs in the advanced interface function of the file /cgi-bin/wireless.cgi, where certain parameters such as wlan_conf, Channel, skiplist, and ieee_80211h are passed directly to the system without proper input sanitization.

An attacker can exploit this vulnerability by injecting malicious commands into these parameters remotely. For example, by setting wlan_conf to a command like `telnetd -l /bin/sh -p 8894`, the attacker can execute arbitrary commands on the device, effectively gaining control over it.

The vulnerability arises from a critical security oversight in input validation, allowing remote attackers to execute commands on the affected system.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary commands on the affected Wavlink device without user interaction or authentication.

Exploitation can lead to full control over the device, including the ability to run malicious software, intercept or manipulate network traffic, disrupt device functionality, or use the device as a foothold for further attacks within a network.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP POST requests sent to the endpoint /cgi-bin/wireless.cgi with crafted parameters such as wlan_conf, Channel, skiplist, or ieee_80211h that contain command injection payloads.

A practical detection method is to capture and analyze network traffic for POST requests targeting /cgi-bin/wireless.cgi and inspect the parameters for unusual command strings.

For example, you can use the following curl command to test if the device is vulnerable by sending a crafted payload:

  • curl -X POST http://[device_ip]/cgi-bin/wireless.cgi -d 'wlan_conf=telnetd -l /bin/sh -p 8894'

Additionally, network intrusion detection systems (NIDS) can be configured to alert on HTTP POST requests containing suspicious command injection patterns targeting this endpoint.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable /cgi-bin/wireless.cgi endpoint by implementing network-level controls such as firewall rules or access control lists to limit access only to trusted users.

Disabling remote management interfaces or services that expose this CGI endpoint can reduce the attack surface.

If possible, update the device firmware or software to a version where this vulnerability is patched, as the vendor was contacted about this issue.

Monitoring logs for suspicious activity and applying input validation or web application firewall (WAF) rules to block malicious payloads targeting the vulnerable parameters can also help mitigate exploitation.

Compliance Impact

The vulnerability CVE-2026-8228 allows remote attackers to execute arbitrary commands on the affected Wavlink device due to improper input sanitization. This can lead to unauthorized access and control over the device.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

However, the provided information does not explicitly detail the direct impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8228. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart