Command Injection Vulnerability in Wavlink NU516U1 Wireless Configuration
CVE-2025-10961

5.1MEDIUM

Key Information:

Vendor

Wavlink

Status
Nu516u1
Vendor
CVE Published:
25 September 2025

What is CVE-2025-10961?

A command injection vulnerability has been identified in the Wavlink NU516U1 device, specifically within the Delete_Mac_list functionality of the wireless.cgi script. This vulnerability arises from insufficient input validation in the function sub_4030C0. An attacker can exploit this flaw by crafting a malicious delete_list argument, allowing them to execute arbitrary commands on the device. Despite early notification of this vulnerability to the vendor, there has been no response, highlighting the importance of addressing vulnerabilities promptly to maintain device and network security.

Affected Version(s)

NU516U1 M16U1_V240425

References

https://vuldb.com/?id.325829
vdb-entrytechnical-description
https://vuldb.com/?ctiid.325829
signaturepermissions-required
https://vuldb.com/?submit.652781
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

panda_0x1 (VulDB User)
JSON
.
CVE-2025-10961 : Command Injection Vulnerability in Wavlink NU516U1 Wireless Configuration