CVE-2026-3612
Published: 06 March 2026
Summary
CVE-2026-3612 is a high-severity Injection (CWE-74) vulnerability in Wavlink Wl-Nu516U1 Firmware. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing /cgi-bin/adm.cgi OTA component enables remote authenticated RCE via firmware_url manipulation on embedded Linux firmware, directly mapping to T1190 (public app exploitation) and T1059.004 (Unix shell command execution).
NVD Description
A vulnerability was determined in Wavlink WL-NU516U1 V240425. This affects the function sub_405AF4 of the file /cgi-bin/adm.cgi of the component OTA Online Upgrade. This manipulation of the argument firmware_url causes command injection. It is possible to initiate the attack remotely.…
more
The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
Deeper analysisAI
CVE-2026-3612 is a command injection vulnerability in the Wavlink WL-NU516U1 firmware version V240425. It affects the sub_405AF4 function within the /cgi-bin/adm.cgi file of the OTA Online Upgrade component, where manipulation of the firmware_url argument enables command injection. The issue corresponds to CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited remotely by an authenticated attacker with high privileges, such as an administrator. Successful exploitation allows the attacker to execute arbitrary commands on the device, potentially leading to high-impact confidentiality, integrity, and availability compromises, including full device takeover.
Advisories from VulDB detail the vulnerability and note that the exploit has been publicly disclosed via a GitHub repository containing specifics on the firmware_url manipulation. The vendor was contacted early regarding disclosure, but no patch or mitigation details are specified in the available references. Security practitioners should review the linked resources, including https://github.com/Wlz1112/WAVLINK-NU516-V240425/blob/main/firmware_url.md and VulDB entries, for exploit details and monitor for vendor updates.
Details
- CWE(s)