CVE-2025-10959
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary commands on Wavlink NU516U1 routers by exploiting a command injection flaw in the firewall.cgi component. Attackers can manipulate the dmz_flag parameter to inject malicious commands, potentially gaining full control of affected devices. This affects users of Wavlink NU516U1 routers running firmware version M16U1_V240425.
💻 Affected Systems
- Wavlink NU516U1
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to establish persistent access, intercept network traffic, pivot to internal networks, or use the device as part of a botnet.
Likely Case
Unauthorized command execution leading to device configuration changes, credential theft, or installation of malware.
If Mitigated
Limited impact with proper network segmentation and access controls preventing exploitation attempts.
🎯 Exploit Status
Proof of concept exploit is publicly available on GitHub. The vulnerability requires access to the web interface but may not require authentication depending on device configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch is available as the vendor has not responded to disclosure. Monitor Wavlink's official website for firmware updates.
🔧 Temporary Workarounds
Disable WAN access to web interface
allPrevent external access to the vulnerable web interface by disabling remote administration
Access router settings > Administration > Remote Management > Disable
Network segmentation
allIsolate affected routers from critical network segments
🧯 If You Can't Patch
- Replace affected devices with supported alternatives
- Implement strict firewall rules blocking all unnecessary inbound traffic to the router
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router web interface under System Status or Administration. If version is M16U1_V240425, the device is vulnerable.Check Version:
curl -s http://router-ip/cgi-bin/status.cgi | grep firmwareVerify Fix Applied:
Verify firmware version has been updated to a version newer than M16U1_V240425. No official fix exists as of analysis.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /cgi-bin/firewall.cgi with suspicious dmz_flag parameters
- Unexpected command execution in system logs
Network Indicators:
- Unusual outbound connections from router to unknown IPs
- Traffic patterns suggesting command and control communication
SIEM Query:
source="router_logs" AND uri="/cgi-bin/firewall.cgi" AND (dmz_flag CONTAINS ";" OR dmz_flag CONTAINS "|" OR dmz_flag CONTAINS "`")🔗 References
- https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DMZ.md
- https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DMZ.md#poc
- https://vuldb.com/?ctiid.325827
- https://vuldb.com/?id.325827
- https://vuldb.com/?submit.652769
- https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DMZ.md
- https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DMZ.md#poc
