Cyber Resilience

CVE-2026-2567

HighPublic PoC

Published: 16 February 2026

Published
16 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 34.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2567 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Wavlink Wl-Nu516U1 Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-2567 is a stack-based buffer overflow vulnerability affecting the Wavlink WL-NU516U1 firmware version 20251208. The flaw exists in the sub_401218 function of the /cgi-bin/nas.cgi file and is triggered by manipulating the User1Passwd argument. Published on 2026-02-16, it carries a CVSS 3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 119, 121, and 787.

The vulnerability enables remote exploitation by attackers with high privileges, such as authenticated users with administrative access. Low attack complexity and no user interaction are required, allowing attackers to achieve high impacts on confidentiality, integrity, and availability, potentially resulting in arbitrary code execution through the buffer overflow. A public exploit is available for use.

Advisories and further details are documented on VulDB at https://vuldb.com/?ctiid.346174, https://vuldb.com/?id.346174, and https://vuldb.com/?submit.752016. A proof-of-concept exploit is publicly hosted on GitHub at https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/nas.cgi_User1Passwd.md.

EU & UK References

Vulnerability details

A vulnerability was detected in Wavlink WL-NU516U1 20251208. This vulnerability affects the function sub_401218 of the file /cgi-bin/nas.cgi. Performing a manipulation of the argument User1Passwd results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now…

more

public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in public-facing /cgi-bin/nas.cgi web endpoint enables remote code execution (even with PR:H auth), matching T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3703Same product: Wavlink Wl-Nu516U1
CVE-2026-3613Same product: Wavlink Wl-Nu516U1
CVE-2026-4861Same product: Wavlink Wl-Nu516U1
CVE-2026-3661Same product: Wavlink Wl-Nu516U1
CVE-2026-2615Same product: Wavlink Wl-Nu516U1
CVE-2026-8191Same product: Wavlink Wl-Nu516U1
CVE-2026-8227Same product: Wavlink Wl-Nu516U1
CVE-2026-3704Same product: Wavlink Wl-Nu516U1
CVE-2026-8190Same product: Wavlink Wl-Nu516U1
CVE-2026-8188Same product: Wavlink Wl-Nu516U1

Affected Assets

wavlink
wl-nu516u1 firmware
≤ 2025-12-08

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces bounds checking and sanitization on the User1Passwd argument supplied to /cgi-bin/nas.cgi, preventing the stack overflow in sub_401218.

prevent

Applies memory-protection mechanisms (e.g., stack canaries, ASLR, NX) that block successful exploitation of the stack-based buffer overflow even if malicious input reaches the function.

prevent

Requires timely application of firmware patches that eliminate the vulnerable sub_401218 code path before a public exploit can be used.

References