CVE-2025-10963
Published: 25 September 2025
Summary
CVE-2025-10963 is a medium-severity Injection (CWE-74) vulnerability in Wavlink Wl-Nu516U1 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 44.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in firewall.cgi enables execution via command interpreters (T1059) and indirect command execution (T1202, as noted in advisory). Vulnerability in remote web service facilitates exploitation of public-facing application (T1190) and remote services (T1210).
NVD Description
A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425. Affected is the function sub_4016F0 of the file /cgi-bin/firewall.cgi. The manipulation of the argument del_flag results in command injection. It is possible to launch the attack remotely. The exploit has…
more
been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-10963 is a command injection vulnerability in the Wavlink NU516U1 router running firmware version M16U1_V240425. The flaw resides in the sub_4016F0 function within the /cgi-bin/firewall.cgi script, where the del_flag argument can be manipulated to inject arbitrary commands. Associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection), it has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility and low complexity.
The vulnerability can be exploited remotely by an attacker with low privileges, such as an authenticated user, without requiring user interaction. By crafting a malicious request to the firewall.cgi endpoint with a specially manipulated del_flag parameter, the attacker can inject and execute arbitrary system commands on the device, potentially leading to limited confidentiality, integrity, and availability impacts as per the CVSS assessment.
Advisories from VulDB and related references, including public proof-of-concept exploits on GitHub, note that the vendor was contacted early but provided no response or patches. No official mitigations or firmware updates are available, leaving affected devices reliant on network segmentation, access controls, or device replacement to reduce exposure. The exploit code has been publicly released, increasing the risk of active exploitation.
Details
- CWE(s)