CVE-2026-8229
Command Injection in Wavlink NU516U1 Router
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wavlink | nu516u1 | 240425 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8229 is a Remote Command Execution (RCE) vulnerability in the Wavlink NU516U1 device, specifically in the WifiBasic function of the /cgi-bin/wireless.cgi file.
The vulnerability occurs because the parameters AuthMethod and EncrypType are not properly sanitized when received by the device. An attacker can manipulate these parameters by sending a crafted HTTP POST request, injecting malicious commands.
For example, an attacker can set AuthMethod to a command like "telnetd -l /bin/sh -p 8895", which the device then executes, granting the attacker remote shell access.
How can this vulnerability impact me? :
This vulnerability allows an attacker to remotely execute arbitrary commands on the affected device without user interaction.
Successful exploitation can lead to full control over the device, enabling the attacker to run malicious code, access sensitive information, disrupt network operations, or use the device as a foothold for further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the /cgi-bin/wireless.cgi endpoint that include manipulated AuthMethod or EncrypType parameters.
For example, you can use network traffic analysis tools or command-line utilities like curl or tcpdump to detect such attempts.
- Use tcpdump to capture HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/wireless.cgi'
- Use curl to test the vulnerability by sending a crafted POST request: curl -X POST http://<target-ip>/cgi-bin/wireless.cgi -d 'AuthMethod=telnetd -l /bin/sh -p 8895&EncrypType=somevalue'
Detection involves looking for unusual commands or parameters in these requests that could indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /cgi-bin/wireless.cgi endpoint to trusted networks only.
Additionally, disable remote management features if not needed, and monitor network traffic for suspicious POST requests targeting the vulnerable parameters.
Applying any available firmware updates or patches from the vendor is also critical once they are released.
As a temporary workaround, consider implementing firewall rules to block malicious payloads or commands in HTTP requests.