CVE-2025-10960:Command injection vulnerability in Wavlink NU516U1 M16U1_V240425 DeleteMac Page allows remote attackers to execute arbitrary commands via the delete_list parameter.

splash
Back

Description Preview

A critical vulnerability has been identified in the Wavlink NU516U1 M16U1_V240425 device, specifically in the DeleteMac Page component of the /cgi-bin/wireless.cgi file. The vulnerability allows an attacker to perform command injection by manipulating the delete_list argument in the sub_402D1C function. This security flaw can be exploited remotely, potentially leading to unauthorized access and control of the affected device. The vulnerability has been publicly disclosed, and a proof-of-concept exploit is available, increasing the risk of active exploitation. The vendor was notified about this vulnerability but has not responded, leaving users potentially exposed to attacks.

Overview

The vulnerability in the Wavlink NU516U1 M16U1_V240425 device is classified as a command injection flaw, associated with CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-77 (Improper Neutralization of Special Elements used in a Command). It affects the DeleteMac Page functionality, allowing attackers to inject and execute arbitrary system commands. The vulnerability has a CVSS v3.1 base score of 6.3 (Medium severity), indicating a significant risk to affected systems. The attack vector is network-based, requires low attack complexity, and can be executed with low privileges and without user interaction. The impact of successful exploitation includes potential breaches of confidentiality, integrity, and availability of the affected system.

Remediation

As of the vulnerability disclosure, no official patch or fix has been released by the vendor. Users of the affected Wavlink NU516U1 M16U1_V240425 device should take the following precautions:

  1. Limit network access to the device, allowing connections only from trusted IP addresses.
  2. Regularly monitor system logs for any suspicious activities or unauthorized access attempts.
  3. Consider disabling the affected functionality if it is not critical for operations.
  4. Keep the device firmware up to date and check the vendor's website regularly for any security advisories or patches.
  5. Implement additional network security measures such as firewalls and intrusion detection systems to mitigate the risk of exploitation.
  6. Consider replacing the vulnerable device with a more secure alternative if the vendor does not provide a timely security update.

References

[1] GitHub - Vulnerability details and PoC: https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DeleteMac.md

[2] GitHub - Proof of Concept: https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DeleteMac.md#poc

[3] VulDB - Vulnerability Information: https://vuldb.com/?id.325828

[4] VulDB - CTI Information: https://vuldb.com/?ctiid.325828

[5] VulDB - Submission Details: https://vuldb.com/?submit.652780

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services: Low
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  5. Construction: Low
    Construction
  6. Educational Services: Low
    Educational Services
  7. Finance and Insurance: Low
    Finance and Insurance
  8. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  9. Information: Low
    Information
  10. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  11. Manufacturing: Low
    Manufacturing
  12. Mining: Low
    Mining
  13. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  15. Public Administration: Low
    Public Administration
  16. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  17. Retail Trade: Low
    Retail Trade
  18. Transportation & Warehousing: Low
    Transportation & Warehousing
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background