Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-10959

CVE-2025-10959: Wavlink WL-NU516U1 Firmware RCE Flaw

CVE-2025-10959 is a remote code execution vulnerability in Wavlink WL-NU516U1 firmware affecting the firewall.cgi file. Attackers can exploit command injection to execute arbitrary commands remotely. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-10959 Overview

CVE-2025-10959 is a command injection vulnerability in the Wavlink WL-NU516U1 router running firmware M16U1_V240425. The flaw resides in the sub_401778 function inside /cgi-bin/firewall.cgi, where the dmz_flag parameter is passed to an underlying shell without sanitization [CWE-74]. Attackers with low-privilege authenticated access can send crafted HTTP requests to inject arbitrary operating system commands. The exploit has been publicly disclosed, and Wavlink did not respond to the researcher's disclosure attempts. No vendor patch is currently available.

Critical Impact

Authenticated attackers can execute arbitrary commands on the router's operating system, enabling persistent device compromise and pivoting into internal networks.

Affected Products

  • Wavlink WL-NU516U1 router (hardware)
  • Wavlink WL-NU516U1 firmware version M16U1_V240425
  • Deployments exposing the web management interface to untrusted networks

Discovery Timeline

  • 2025-09-25 - CVE-2025-10959 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-10959

Vulnerability Analysis

The vulnerability affects the firewall configuration handler in the Wavlink WL-NU516U1 web management interface. The sub_401778 function within /cgi-bin/firewall.cgi processes the dmz_flag HTTP parameter and passes its value into a system shell invocation. Because the parameter is not sanitized or validated, shell metacharacters are interpreted by the underlying command interpreter.

The EPSS score of 6.61% (93rd percentile) reflects meaningful exploitation likelihood despite the low CVSS score. The disparity arises because CVSS v4.0 weights the required low-privilege authentication and limited impact scope, while EPSS accounts for publicly available proof-of-concept material and the appeal of consumer network devices as botnet targets.

Root Cause

The root cause is improper neutralization of special elements used in an OS command [CWE-74]. The CGI handler concatenates user-controlled input from the dmz_flag argument directly into a shell command string. Shell metacharacters such as ;, |, &, and backticks are executed by the shell rather than treated as literal data.

Attack Vector

An attacker with valid low-privilege credentials on the router's web interface sends an HTTP request to /cgi-bin/firewall.cgi with a crafted dmz_flag value containing shell metacharacters and appended commands. The injected commands execute with the privileges of the CGI process, typically root on embedded router firmware. Technical details and proof-of-concept steps are documented in the GitHub PoC Repository and cataloged as VulDB #325827.

Detection Methods for CVE-2025-10959

Indicators of Compromise

  • HTTP POST or GET requests to /cgi-bin/firewall.cgi containing shell metacharacters (;, |, &, backticks, $()) in the dmz_flag parameter
  • Unexpected outbound connections from the router to unknown external hosts following firewall configuration changes
  • New processes or persistence artifacts on the router that were not created by legitimate firmware operations

Detection Strategies

  • Inspect web server and CGI access logs on the router for suspicious firewall.cgi requests with non-alphanumeric characters in dmz_flag
  • Deploy network intrusion detection signatures that flag command injection patterns targeting embedded router CGI endpoints
  • Monitor for anomalous DNS queries or scanning behavior originating from the router's LAN or WAN interface

Monitoring Recommendations

  • Baseline normal administrative traffic to the router's management interface and alert on deviations
  • Forward router syslog and connection metadata to a centralized analytics platform for retrospective hunting
  • Track firmware version and configuration drift across all deployed Wavlink devices

How to Mitigate CVE-2025-10959

Immediate Actions Required

  • Restrict access to the router's web management interface to trusted management VLANs only
  • Disable remote WAN-side administration on all Wavlink WL-NU516U1 devices
  • Rotate all administrative credentials and enforce strong, unique passwords to raise the bar for the low-privilege prerequisite
  • Consider replacing the device if it is deployed in security-sensitive environments, given the absence of vendor response

Patch Information

No vendor patch is available. According to the disclosure, Wavlink was contacted before public disclosure but did not respond. Monitor the Wavlink support portal and VulDB entry #325827 for future firmware updates addressing the sub_401778 handler in /cgi-bin/firewall.cgi.

Workarounds

  • Place affected routers behind an upstream firewall that blocks inbound access to TCP ports serving the management interface
  • Segment the router onto an isolated network so a compromised device cannot pivot into sensitive internal systems
  • Replace end-of-life or unsupported Wavlink hardware with vendor-supported alternatives that receive security updates

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.