Login Sign Up

CVE-2025-10958

6.3 MEDIUM
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on Wavlink NU516U1 routers by injecting malicious commands through the macAddr parameter in the AddMac page. The flaw exists in the wireless.cgi component and affects devices running firmware version M16U1_V240425. Attackers can exploit this without authentication to gain control of vulnerable devices.

💻 Affected Systems

Products:
  • Wavlink NU516U1
Versions: M16U1_V240425
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface component. Default configuration exposes the vulnerable endpoint.

📦 What is this software?

Wl Nu516u1 Firmware by Wavlink

View all CVEs affecting Wl Nu516u1 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent backdoors, intercept network traffic, pivot to internal networks, or use device as part of botnet.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, network reconnaissance, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if device is behind firewall with strict inbound filtering and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept exploit is publicly available on GitHub. Remote exploitation is possible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: UNKNOWN

Vendor Advisory: NONE

Restart Required: No

Instructions:

No official patch available. Vendor has not responded to disclosure. Consider replacing affected devices or implementing workarounds.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices in separate VLAN with strict firewall rules preventing external access to management interface.

Access Control

all

Implement strict source IP restrictions to limit access to management interface only from trusted administrative networks.

🧯 If You Can't Patch

  • Disable remote management interface if not required
  • Implement network monitoring for suspicious traffic to/from affected devices

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or SSH. If version is M16U1_V240425, device is vulnerable.

Check Version:

Check web interface System Status page or use: cat /proc/version

Verify Fix Applied:

No official fix available. Verify workarounds by testing if management interface is inaccessible from untrusted networks.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in system logs
  • Multiple failed authentication attempts followed by successful access
  • Suspicious processes spawned from web interface

Network Indicators:

  • Unusual outbound connections from router
  • Traffic to known malicious IPs
  • Unexpected port scans originating from router

SIEM Query:

source="router_logs" AND ("command injection" OR "macAddr" AND suspicious_pattern)

📊 Metadata

CVE ID: CVE-2025-10958
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.43% exploit probability (62.1th percentile)
Published: September 25, 2025
Last Updated: October 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10958, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)