CVE-2025-9149
Published: 19 August 2025
Summary
CVE-2025-9149 is a low-severity Injection (CWE-74) vulnerability in Wavlink Wl-Nu516U1 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2025-9149 affects the Wavlink WL-NU516U1 router running firmware version M16U1_V240425. It exists in the sub_4032E4 function of /cgi-bin/wireless.cgi, where unsanitized input to the Guest_ssid argument permits command injection, as indicated by the associated CWE-74 and CWE-77 classifications.
An authenticated remote attacker with low privileges can supply crafted values to the Guest_ssid parameter over the network to execute arbitrary commands on the device. The CVSS 4.0 score of 2.1 reflects limited impact confined to the vulnerable component, with no effect on adjacent systems.
Public proof-of-concept code has been posted to GitHub, confirming the issue is exploitable, while the EPSS score has remained flat at 0.0158 with no material rise since disclosure on 2025-08-19. No vendor advisories or patches addressing mitigation are referenced in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25198
Vulnerability details
A vulnerability was determined in Wavlink WL-NU516U1 M16U1_V240425. This impacts the function sub_4032E4 of the file /cgi-bin/wireless.cgi. This manipulation of the argument Guest_ssid causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly…
more
disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote command injection in the web CGI interface (/cgi-bin/wireless.cgi) via Guest_ssid enables exploitation of a public-facing application (T1190) and indirect command execution (T1202), as noted in advisories.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the Guest_ssid input argument to sub_4032E4 in wireless.cgi, blocking the command injection vector.
Mandates timely application of firmware patches to remediate the publicly disclosed flaw in M16U1_V240425 before exploitation.
Restricts the low-privilege account's ability to reach or influence the vulnerable wireless.cgi function, limiting injection impact.