CVE-2025-10962: Wavlink WL-NU516U1 Firmware RCE Flaw

CVE-2025-10962 Overview

CVE-2025-10962 is a command injection vulnerability affecting Wavlink WL-NU516U1 routers running firmware version M16U1_V240425. The flaw resides in the sub_403198 function within /cgi-bin/wireless.cgi, which handles requests from the SetName page. An authenticated remote attacker can manipulate the mac_5g argument to inject operating system commands processed by the underlying shell. A public proof-of-concept is available, and the vendor did not respond to disclosure attempts. The weakness is categorized as [CWE-74] Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection).

Critical Impact

Authenticated attackers can inject arbitrary OS commands into the mac_5g parameter via the SetName page, executing code on the router with the privileges of the web service.

Affected Products

• Wavlink WL-NU516U1 hardware (cpe:2.3:h:wavlink:wl-nu516u1)
• Wavlink WL-NU516U1 firmware version M16U1_V240425
• Devices exposing /cgi-bin/wireless.cgi via the management interface

Discovery Timeline

• 2025-09-25 - CVE-2025-10962 published to NVD
• 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-10962

Vulnerability Analysis

The Wavlink WL-NU516U1 router exposes a CGI endpoint at /cgi-bin/wireless.cgi that handles wireless configuration requests. The internal function sub_403198 processes parameters submitted through the SetName page, including the mac_5g argument used to assign a MAC address to the 5GHz radio interface. The function passes the supplied value to a shell execution context without sanitization or validation. Attackers can append shell metacharacters to mac_5g and execute arbitrary commands on the device. The exploit operates over the network and requires low-privilege credentials, making compromise feasible from any host that can reach the router's management interface. According to VulDB, the EPSS exploitation probability sits in the 93rd percentile, indicating elevated attacker interest.

Root Cause

The root cause is improper neutralization of special elements passed to a downstream shell interpreter ([CWE-74]). The sub_403198 handler concatenates the mac_5g user input directly into a system command string. No allow-list, regex validation, or escaping is applied to enforce MAC address syntax before invocation.

Attack Vector

An attacker with valid web interface credentials sends a crafted HTTP request to /cgi-bin/wireless.cgi targeting the SetName handler. The mac_5g parameter carries shell metacharacters such as backticks, semicolons, or $() sequences that break out of the intended command context. The injected payload executes with the privileges of the CGI process, typically root on consumer router firmware. Refer to the GitHub PoC Documentation for the full request structure used during validation.

Detection Methods for CVE-2025-10962

Indicators of Compromise

• HTTP POST requests to /cgi-bin/wireless.cgi containing shell metacharacters (;, |, `, $() inside the mac_5g parameter.
• Outbound connections from the router to unexpected hosts following SetName page submissions.
• New or modified files in writable firmware locations such as /tmp or /var shortly after web admin sessions.

Detection Strategies

• Inspect router access logs and upstream proxy logs for wireless.cgi requests where mac_5g does not match a strict MAC address pattern (^([0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}$).
• Deploy network IDS signatures that flag CGI parameters containing shell command separators destined for Wavlink management endpoints.
• Correlate authentication events on the router admin panel with subsequent anomalous DNS or outbound traffic patterns.

Monitoring Recommendations

• Restrict and log access to the router management interface; alert on administrative logins from non-management VLANs.
• Monitor for repeated SetName page submissions from the same source within short windows.
• Track firmware integrity and configuration baselines for unexpected changes on Wavlink devices.

How to Mitigate CVE-2025-10962

Immediate Actions Required

• Remove the WL-NU516U1 management interface from any internet-facing exposure and restrict access to a trusted management network.
• Rotate all administrator credentials on affected Wavlink devices to limit the value of stolen low-privilege accounts.
• Treat affected devices as untrusted until a vendor patch is verified; segment them from sensitive network zones.

Patch Information

No vendor patch is available. The reporter notes that Wavlink was contacted early about this disclosure but did not respond. Track vendor advisories at the VulDB #325830 Vulnerability entry for updates. Organizations should plan device replacement if firmware updates do not materialize.

Workarounds

• Place affected routers behind a firewall ACL that blocks inbound HTTP/HTTPS to the management interface from untrusted subnets.
• Disable remote administration features and require VPN access for any configuration changes.
• Replace the WL-NU516U1 with a supported device if the vendor remains unresponsive to disclosure.

# Example iptables rule restricting access to the router admin interface
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP