CVE-2026-8191: Wavlink WL-NU516U1 Firmware RCE Flaw

CVE-2026-8191 Overview

CVE-2026-8191 is an operating system (OS) command injection vulnerability affecting the Wavlink NU516U1 router running firmware version M16U1_V240425. The flaw resides in the wifi_region function within the /cgi-bin/adm.cgi endpoint. Attackers can manipulate the skiplist1 and skiplist2 parameters to inject arbitrary OS commands. The vulnerability is exploitable remotely and requires low privileges. Public exploit details are available, increasing the risk of opportunistic exploitation against exposed devices. The vendor was contacted prior to public disclosure. This issue is tracked under CWE-77: Improper Neutralization of Special Elements used in a Command.

Critical Impact

Authenticated remote attackers can inject arbitrary OS commands on affected Wavlink NU516U1 devices through the adm.cgi interface, leading to command execution within the router's operating environment.

Affected Products

• Wavlink WL-NU516U1 hardware device
• Wavlink WL-NU516U1 firmware version M16U1_V240425
• CPE: cpe:2.3:o:wavlink:wl-nu516u1_firmware:m16u1_v240425

Discovery Timeline

• 2026-05-09 - CVE-2026-8191 published to the National Vulnerability Database (NVD)
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-8191

Vulnerability Analysis

The vulnerability exists in the wifi_region handler implemented inside the /cgi-bin/adm.cgi Common Gateway Interface (CGI) binary on the Wavlink NU516U1 router. The handler accepts the skiplist1 and skiplist2 parameters from HTTP requests and incorporates them into shell commands without proper sanitization or neutralization of metacharacters. This pattern matches the classic [CWE-77] OS command injection weakness, where untrusted input flows into a command interpreter.

Because the affected endpoint is part of the router's administrative web interface, successful exploitation yields command execution in the context of the web server process, which on consumer routers typically runs with elevated privileges. The exploit has been documented publicly in the GitHub vulnerability writeup and tracked at VulDB #362343.

Root Cause

The root cause is missing input validation and command argument neutralization. The wifi_region function concatenates attacker-controlled values from skiplist1 and skiplist2 directly into a shell command string. Shell metacharacters such as ;, |, and backticks are not stripped or escaped before execution.

Attack Vector

The attack is delivered over the network against the device's web administration interface. The attacker must hold low-level credentials to reach the adm.cgi endpoint. Once authenticated, the attacker submits a crafted HTTP request that places shell metacharacters and commands inside the skiplist1 or skiplist2 parameter. The injected commands execute on the router. Refer to the public proof-of-concept documentation for the specific request structure.

Detection Methods for CVE-2026-8191

Indicators of Compromise

• HTTP requests to /cgi-bin/adm.cgi containing shell metacharacters (;, &&, |, backticks, $()) inside skiplist1 or skiplist2 parameters.
• Unexpected outbound connections originating from the router to unknown hosts.
• Modifications to router configuration files or the presence of new processes spawned by the web server.

Detection Strategies

• Inspect web server and reverse proxy logs for POST or GET requests targeting adm.cgi with the wifi_region action and abnormal skiplist parameter values.
• Deploy network signatures that match command injection patterns in HTTP request bodies destined for Wavlink administrative endpoints.
• Correlate authentication events on the router with subsequent anomalous outbound traffic to detect post-exploitation activity.

Monitoring Recommendations

• Monitor management interfaces of consumer-grade network devices for exposure to untrusted networks.
• Alert on any HTTP traffic to router CGI endpoints from non-administrative source IP ranges.
• Track firmware version inventory to identify devices running M16U1_V240425 until a patched build is available.

How to Mitigate CVE-2026-8191

Immediate Actions Required

• Restrict access to the router's administrative web interface to trusted internal networks only and disable any remote management features.
• Rotate administrative credentials on affected Wavlink NU516U1 devices to limit the population of accounts that can reach the vulnerable endpoint.
• Place affected devices behind a network segment that blocks inbound connections to /cgi-bin/adm.cgi from untrusted sources.

Patch Information

At the time of publication, no vendor advisory or firmware patch URL is listed in the NVD record for CVE-2026-8191. The vendor was contacted early about the disclosure according to the VulDB entry. Administrators should monitor the Wavlink support portal for an updated firmware release that supersedes M16U1_V240425 and apply it as soon as it becomes available.

Workarounds

• Disable the WAN-side administrative web interface and require LAN-only access.
• Apply network Access Control Lists (ACLs) on upstream equipment to block HTTP/HTTPS traffic to the router's management port from untrusted ranges.
• Replace the device with a supported model if a firmware update is not released within an acceptable risk window.

# Example: block external access to the router's management interface using iptables on an upstream gateway
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -m iprange ! --src-range 10.0.0.0-10.0.0.255 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -m iprange ! --src-range 10.0.0.0-10.0.0.255 -j DROP