CVE-2026-2567
Published: 16 February 2026
Summary
CVE-2026-2567 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Wavlink Wl-Nu516U1 Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-2567 is a stack-based buffer overflow vulnerability affecting the Wavlink WL-NU516U1 firmware version 20251208. The flaw exists in the sub_401218 function of the /cgi-bin/nas.cgi file and is triggered by manipulating the User1Passwd argument. Published on 2026-02-16, it carries a CVSS 3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 119, 121, and 787.
The vulnerability enables remote exploitation by attackers with high privileges, such as authenticated users with administrative access. Low attack complexity and no user interaction are required, allowing attackers to achieve high impacts on confidentiality, integrity, and availability, potentially resulting in arbitrary code execution through the buffer overflow. A public exploit is available for use.
Advisories and further details are documented on VulDB at https://vuldb.com/?ctiid.346174, https://vuldb.com/?id.346174, and https://vuldb.com/?submit.752016. A proof-of-concept exploit is publicly hosted on GitHub at https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/nas.cgi_User1Passwd.md.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7663
Vulnerability details
A vulnerability was detected in Wavlink WL-NU516U1 20251208. This vulnerability affects the function sub_401218 of the file /cgi-bin/nas.cgi. Performing a manipulation of the argument User1Passwd results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now…
more
public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public-facing /cgi-bin/nas.cgi web endpoint enables remote code execution (even with PR:H auth), matching T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces bounds checking and sanitization on the User1Passwd argument supplied to /cgi-bin/nas.cgi, preventing the stack overflow in sub_401218.
Applies memory-protection mechanisms (e.g., stack canaries, ASLR, NX) that block successful exploitation of the stack-based buffer overflow even if malicious input reaches the function.
Requires timely application of firmware patches that eliminate the vulnerable sub_401218 code path before a public exploit can be used.