CVE-2025-10959 Overview
CVE-2025-10959 is a command injection vulnerability in the Wavlink WL-NU516U1 router running firmware M16U1_V240425. The flaw resides in the sub_401778 function inside /cgi-bin/firewall.cgi, where the dmz_flag parameter is passed to an underlying shell without sanitization [CWE-74]. Attackers with low-privilege authenticated access can send crafted HTTP requests to inject arbitrary operating system commands. The exploit has been publicly disclosed, and Wavlink did not respond to the researcher's disclosure attempts. No vendor patch is currently available.
Critical Impact
Authenticated attackers can execute arbitrary commands on the router's operating system, enabling persistent device compromise and pivoting into internal networks.
Affected Products
- Wavlink WL-NU516U1 router (hardware)
- Wavlink WL-NU516U1 firmware version M16U1_V240425
- Deployments exposing the web management interface to untrusted networks
Discovery Timeline
- 2025-09-25 - CVE-2025-10959 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-10959
Vulnerability Analysis
The vulnerability affects the firewall configuration handler in the Wavlink WL-NU516U1 web management interface. The sub_401778 function within /cgi-bin/firewall.cgi processes the dmz_flag HTTP parameter and passes its value into a system shell invocation. Because the parameter is not sanitized or validated, shell metacharacters are interpreted by the underlying command interpreter.
The EPSS score of 6.61% (93rd percentile) reflects meaningful exploitation likelihood despite the low CVSS score. The disparity arises because CVSS v4.0 weights the required low-privilege authentication and limited impact scope, while EPSS accounts for publicly available proof-of-concept material and the appeal of consumer network devices as botnet targets.
Root Cause
The root cause is improper neutralization of special elements used in an OS command [CWE-74]. The CGI handler concatenates user-controlled input from the dmz_flag argument directly into a shell command string. Shell metacharacters such as ;, |, &, and backticks are executed by the shell rather than treated as literal data.
Attack Vector
An attacker with valid low-privilege credentials on the router's web interface sends an HTTP request to /cgi-bin/firewall.cgi with a crafted dmz_flag value containing shell metacharacters and appended commands. The injected commands execute with the privileges of the CGI process, typically root on embedded router firmware. Technical details and proof-of-concept steps are documented in the GitHub PoC Repository and cataloged as VulDB #325827.
Detection Methods for CVE-2025-10959
Indicators of Compromise
- HTTP POST or GET requests to /cgi-bin/firewall.cgi containing shell metacharacters (;, |, &, backticks, $()) in the dmz_flag parameter
- Unexpected outbound connections from the router to unknown external hosts following firewall configuration changes
- New processes or persistence artifacts on the router that were not created by legitimate firmware operations
Detection Strategies
- Inspect web server and CGI access logs on the router for suspicious firewall.cgi requests with non-alphanumeric characters in dmz_flag
- Deploy network intrusion detection signatures that flag command injection patterns targeting embedded router CGI endpoints
- Monitor for anomalous DNS queries or scanning behavior originating from the router's LAN or WAN interface
Monitoring Recommendations
- Baseline normal administrative traffic to the router's management interface and alert on deviations
- Forward router syslog and connection metadata to a centralized analytics platform for retrospective hunting
- Track firmware version and configuration drift across all deployed Wavlink devices
How to Mitigate CVE-2025-10959
Immediate Actions Required
- Restrict access to the router's web management interface to trusted management VLANs only
- Disable remote WAN-side administration on all Wavlink WL-NU516U1 devices
- Rotate all administrative credentials and enforce strong, unique passwords to raise the bar for the low-privilege prerequisite
- Consider replacing the device if it is deployed in security-sensitive environments, given the absence of vendor response
Patch Information
No vendor patch is available. According to the disclosure, Wavlink was contacted before public disclosure but did not respond. Monitor the Wavlink support portal and VulDB entry #325827 for future firmware updates addressing the sub_401778 handler in /cgi-bin/firewall.cgi.
Workarounds
- Place affected routers behind an upstream firewall that blocks inbound access to TCP ports serving the management interface
- Segment the router onto an isolated network so a compromised device cannot pivot into sensitive internal systems
- Replace end-of-life or unsupported Wavlink hardware with vendor-supported alternatives that receive security updates
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

