CVE-2025-9149
Published: 19 August 2025
Summary
CVE-2025-9149 is a medium-severity Injection (CWE-74) vulnerability in Wavlink Wl-Nu516U1 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote command injection in the web CGI interface (/cgi-bin/wireless.cgi) via Guest_ssid enables exploitation of a public-facing application (T1190) and indirect command execution (T1202), as noted in advisories.
NVD Description
A vulnerability was determined in Wavlink WL-NU516U1 M16U1_V240425. This impacts the function sub_4032E4 of the file /cgi-bin/wireless.cgi. This manipulation of the argument Guest_ssid causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly…
more
disclosed and may be utilized.
Deeper analysisAI
CVE-2025-9149 is a command injection vulnerability in the Wavlink WL-NU516U1 router running firmware version M16U1_V240425. The flaw affects the function sub_4032E4 in the file /cgi-bin/wireless.cgi, where manipulation of the Guest_ssid argument triggers command injection. Published on 2025-08-19, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is linked to CWEs 74 and 77.
The vulnerability enables remote exploitation by an attacker possessing low privileges, with low attack complexity and no need for user interaction. Successful exploitation grants limited impacts on confidentiality, integrity, and availability, allowing arbitrary command execution on the affected device.
Advisories and a proof-of-concept exploit are documented in references including https://github.com/lin-3-start/lin-cve/blob/main/Wavlink/Wavlink.md, its PoC section at https://github.com/lin-3-start/lin-cve/blob/main/Wavlink/Wavlink.md#poc, and VulDB entries at https://vuldb.com/?ctiid.320528, https://vuldb.com/?id.320528, and https://vuldb.com/?submit.629181. The exploit has been publicly disclosed and may be utilized.
Details
- CWE(s)