{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3612", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-05T18:20:48.894Z", "datePublished": "2026-03-06T00:32:10.901Z", "dateUpdated": "2026-03-09T15:31:47.417Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-06T00:32:10.901Z"}, "title": "Wavlink WL-NU516U1 OTA Online Upgrade adm.cgi sub_405AF4 command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "Wavlink", "product": "WL-NU516U1", "versions": [{"version": "V240425", "status": "affected"}], "cpes": ["cpe:2.3:o:wavlink:wl-nu516u1_firmware:*:*:*:*:*:*:*:*"], "modules": ["OTA Online Upgrade"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Wavlink WL-NU516U1 V240425. This affects the function sub_405AF4 of the file /cgi-bin/adm.cgi of the component OTA Online Upgrade. This manipulation of the argument firmware_url causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "baseSeverity": "HIGH"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 8.3, "vectorString": "AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-05T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-05T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-05T19:25:52.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "haimianbaobao (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.349220", "name": "VDB-349220 | Wavlink WL-NU516U1 OTA Online Upgrade adm.cgi sub_405AF4 command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.349220", "name": "VDB-349220 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.754668", "name": "Submit #754668 | Wavlink NU516U1 V240425 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Wlz1112/WAVLINK-NU516-V240425/blob/main/firmware_url.md", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T15:31:40.469496Z", "id": "CVE-2026-3612", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T15:31:47.417Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3612", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T15:31:40.469496Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T15:31:43.496Z"}}], "cna": {"title": "Wavlink WL-NU516U1 OTA Online Upgrade adm.cgi sub_405AF4 command injection", "credits": [{"lang": "en", "type": "reporter", "value": "haimianbaobao (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 8.3, "vectorString": "AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:o:wavlink:wl-nu516u1_firmware:*:*:*:*:*:*:*:*"], "vendor": "Wavlink", "modules": ["OTA Online Upgrade"], "product": "WL-NU516U1", "versions": [{"status": "affected", "version": "V240425"}]}], "timeline": [{"lang": "en", "time": "2026-03-05T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-05T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-05T19:25:52.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.349220", "name": "VDB-349220 | Wavlink WL-NU516U1 OTA Online Upgrade adm.cgi sub_405AF4 command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.349220", "name": "VDB-349220 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.754668", "name": "Submit #754668 | Wavlink NU516U1 V240425 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Wlz1112/WAVLINK-NU516-V240425/blob/main/firmware_url.md", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Wavlink WL-NU516U1 V240425. This affects the function sub_405AF4 of the file /cgi-bin/adm.cgi of the component OTA Online Upgrade. This manipulation of the argument firmware_url causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-06T00:32:10.901Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3612", "state": "PUBLISHED", "dateUpdated": "2026-03-09T15:31:47.417Z", "dateReserved": "2026-03-05T18:20:48.894Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-06T00:32:10.901Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:wavlink:wl-nu516u1_firmware:m16u1_v240425:*:*:*:*:*:*:*", "matchCriteriaId": "44120A31-7BB4-4C48-834B-2C183BC77535", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:wavlink:wl-nu516u1:-:*:*:*:*:*:*:*", "matchCriteriaId": "C697E865-5984-4974-8A11-43CC6940ABFA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Wavlink WL-NU516U1 V240425. This affects the function sub_405AF4 of the file /cgi-bin/adm.cgi of the component OTA Online Upgrade. This manipulation of the argument firmware_url causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure."}, {"lang": "es", "value": "Se determin\u00f3 una vulnerabilidad en Wavlink WL-NU516U1 V240425. Esto afecta a la funci\u00f3n sub_405AF4 del archivo /cgi-bin/adm.cgi del componente OTA Online Upgrade. Esta manipulaci\u00f3n del argumento firmware_url causa inyecci\u00f3n de comandos. Es posible iniciar el ataque de forma remota. El exploit ha sido divulgado p\u00fablicamente y puede ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgaci\u00f3n."}], "id": "CVE-2026-3612", "lastModified": "2026-03-10T18:29:54.790", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "COMPLETE", "baseScore": 8.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:M/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-06T01:15:54.163", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Wlz1112/WAVLINK-NU516-V240425/blob/main/firmware_url.md"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.349220"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.349220"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.754668"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "V240425"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WL-NU516U1", "source": "cna", "vendor": "Wavlink"}, "product": "wl-nu516u1", "vendor": "wavlink"}], "analysis": {"en": {"generated_at": "2026-04-16T11:45:24.015093+00:00", "value": {"mitigation_remediation": ["Upgrade the router firmware to a version that patches the command injection in the OTA upgrade feature.", "If an immediate firmware update is not possible, block or disable access to the /cgi-bin/adm.cgi endpoint using a firewall or device access control rules, preventing unsolicited HTTP requests from reaching the vulnerable CGI.", "If the device must remain visible for other functions, ensure that the firmware_url parameter is strictly validated on the server side: accept only well\u2011formed URLs from trusted sources and sanitize any input before it is passed to system commands."], "summary": {"action": "Immediate Patch", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "The affected vendor is Wavlink and the product is the WL\u2011NU516U1 router model. The specific firmware build impacted is V240425, as identified in the advisory. Any devices running this firmware revision are vulnerable unless the firmware is updated or the feature disabled.", "description_and_impact": "The vulnerability exists in the OTA Online Upgrade component of Wavlink WL-NU516U1, specifically in the sub_405AF4 function of adm.cgi. By manipulating the firmware_url argument, an attacker can inject shell commands that the router will execute, leading to remote command execution. This is a classic instance of a command injection flaw and falls under CWE-74 and CWE-77. With successful exploitation, an attacker would gain the ability to run arbitrary commands on the device, potentially compromising the router, exfiltrating configuration data, or using it as a foothold within the local network.", "risk_and_exploitability": "The CVSS score of 8.6 classifies this as a high severity flaw, while the EPSS score of less than 1% indicates a very low yet non\u2011zero probability of widespread exploitation at the time of this assessment. It is not listed in the CISA KEV catalog. The remote nature of the attack combined with the lack of authentication on the adm.cgi endpoint means that an attacker who can reach the device over HTTP will be able to craft a request that triggers the command injection. Although the likelihood of exploitation is currently low, the potential impact remains significant."}}}}, "created": "2026-03-06T14:56:15.006831+00:00", "updated": "2026-04-16T11:45:26.270765+00:00", "vendors": ["wavlink", "wavlink$PRODUCT$wl-nu516u1"]}