CVE-2026-3704 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2026-3704?

CVE-2026-3704 has a CVSS score of 4.7 (MEDIUM). This CVE describes a command injection vulnerability in Wavlink NU516U1 routers affecting the firewall.cgi component. Attackers can remotely execute arbitrary commands on vulnerable devices. This affects users running the vulnerable firmware version of these specific Wavlink router models.

📋 TL;DR

This CVE describes a command injection vulnerability in Wavlink NU516U1 routers affecting the firewall.cgi component. Attackers can remotely execute arbitrary commands on vulnerable devices. This affects users running the vulnerable firmware version of these specific Wavlink router models.

💻 Affected Systems

Products:

Wavlink NU516U1

Versions: 251208 (specifically affected version)

Operating Systems: Embedded Linux on Wavlink routers

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the firewall.cgi component which handles DMZ configuration. This is an incomplete fix for CVE-2025-10959.

📦 What is this software?

Wl Nu516u1 Firmware by Wavlink

View all CVEs affecting Wl Nu516u1 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent backdoors, pivot to internal networks, or use device in botnets.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, or network reconnaissance.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH - Attack can be initiated remotely without authentication.

🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available on GitHub. The vulnerability allows remote command injection without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: WINSTAR_NU516U1-WO-A-2026-02-27-2fcf6ae-mt7628-squashfs-sysupgrade.bin

Vendor Advisory: https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U1-WO-A-2026-02-27-2fcf6ae-mt7628-squashfs-sysupgrade.bin

Restart Required: Yes

Instructions:

1. Download the patched firmware from Wavlink's official site. 2. Access router admin interface. 3. Navigate to firmware upgrade section. 4. Upload the new firmware file. 5. Wait for upgrade to complete and router to reboot.

🔧 Temporary Workarounds

Disable WAN access to admin interface

linux

Prevent remote exploitation by blocking external access to router management interface

iptables -A INPUT -p tcp --dport 80 -s ! 192.168.1.0/24 -j DROP
iptables -A INPUT -p tcp --dport 443 -s ! 192.168.1.0/24 -j DROP

Disable DMZ functionality

all

Remove attack surface by disabling the vulnerable DMZ configuration component

🧯 If You Can't Patch

Isolate affected routers in separate VLAN with strict firewall rules
Implement network monitoring for suspicious traffic to/from router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 251208, device is vulnerable.

Check Version:

Check router web interface or use: curl -s http://router-ip/ | grep -i firmware

Verify Fix Applied:

After patching, verify firmware version shows WINSTAR_NU516U1-WO-A-2026-02-27-2fcf6ae-mt7628 or later.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /cgi-bin/firewall.cgi
Suspicious command execution in system logs
Multiple failed authentication attempts to router interface

Network Indicators:

Unusual outbound connections from router
Traffic to known malicious IPs from router
Port scanning originating from router

SIEM Query:

source="router-logs" AND (uri="/cgi-bin/firewall.cgi" OR cmd="*sh*" OR cmd="*bash*")

📊 Metadata

CVE ID: CVE-2026-3704

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: March 8, 2026

Last Updated: March 10, 2026

🔗 References

https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U1-WO-A-2026-02-27-2fcf6ae-mt7628-squashfs-sysupgrade.bin Broken Link
https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/wavlink_DMZ.md Exploit,Third Party Advisory
https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/wavlink_DMZ.md#exp Exploit,Third Party Advisory
https://vuldb.com/?ctiid.349650 Permissions Required,VDB Entry
https://vuldb.com/?id.349650 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.759233 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3704, you might also want to check these: