CVE-2026-15513
Received Received - Intake

OS Command Injection in Wavlink WL-NU516U1

Vulnerability report for CVE-2026-15513, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A security flaw has been discovered in Wavlink WL-NU516U1 260515. This affects the function wlink_uci_set_value of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument lan_ip results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
wavlink wl-nu516u1 260515
wavlink wl-nu516u1 wo-a-2026-05-15-708c073
mips openwrt 3.10.108

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15513 is a stored command injection vulnerability in the Wavlink WL-NU516U1 router firmware, specifically in the adm.cgi component.

The vulnerability arises from improper handling of the lan_ip parameter in the wlink_uci_set_value function. An attacker can manipulate this parameter to inject malicious commands.

The attack involves two stages: first, storing a malicious payload via the page=lan handler, which is saved unsanitized in the router's UCI configuration. Later, when the page=openDHCP handler reads this value and uses it in a system call, the payload is executed as a shell command.

The exploit bypasses CSRF protections due to broken SameSite cookie settings and weak Referer validation, allowing remote attackers to execute arbitrary commands on the device.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary commands on the affected router by injecting malicious payloads into the lan_ip parameter.

Because the payload is stored in the router's configuration, the attacker can achieve persistent remote code execution, potentially leading to full system compromise.

An attacker could use this to take control of the device, disrupt network services, intercept or manipulate network traffic, or use the device as a foothold for further attacks within the network.

Detection Guidance

This vulnerability can be detected by checking if the affected Wavlink WL-NU516U1 router firmware version WO-A-2026-05-15-708c073 or similar versions are in use, as these contain the vulnerable adm.cgi component.

Detection can also involve inspecting the lan_ip parameter in the router's UCI configuration for suspicious or malformed values that do not conform to legitimate IPv4 formats, as this parameter is exploited for command injection.

Since the exploit involves stored command injection triggered remotely via HTTP requests, monitoring HTTP traffic for unusual POST requests to /cgi-bin/adm.cgi with parameters related to lan_ip may help identify exploitation attempts.

Specific commands to detect the vulnerability are not provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade the affected Wavlink WL-NU516U1 router firmware to the fixed version released by the vendor.

Additional recommended mitigations include validating the lan_ip parameter to ensure it only accepts legitimate IPv4 addresses, replacing unsafe code patterns like sprintf() and system() calls with safer alternatives, and improving CSRF protections by adding SameSite=Strict to session cookies and implementing proper CSRF tokens and origin-based Referer validation.

Until the upgrade is applied, monitoring and restricting access to the router's administrative interface can reduce the risk of remote exploitation.

Compliance Impact

The provided context and resources do not include any information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15513. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart