Cyber Resilience

CVE-2026-3612

HighPublic PoCRCE

Published: 06 March 2026

Published
06 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0046 64.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3612 is a high-severity Injection (CWE-74) vulnerability in Wavlink Wl-Nu516U1 Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-3612 is a command injection vulnerability in the Wavlink WL-NU516U1 firmware version V240425. It affects the sub_405AF4 function within the /cgi-bin/adm.cgi file of the OTA Online Upgrade component, where manipulation of the firmware_url argument enables command injection. The issue corresponds to CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited remotely by an authenticated attacker with high privileges, such as an administrator. Successful exploitation allows the attacker to execute arbitrary commands on the device, potentially leading to high-impact confidentiality, integrity, and availability compromises, including full device takeover.

Advisories from VulDB detail the vulnerability and note that the exploit has been publicly disclosed via a GitHub repository containing specifics on the firmware_url manipulation. The vendor was contacted early regarding disclosure, but no patch or mitigation details are specified in the available references. Security practitioners should review the linked resources, including https://github.com/Wlz1112/WAVLINK-NU516-V240425/blob/main/firmware_url.md and VulDB entries, for exploit details and monitor for vendor updates.

EU & UK References

Vulnerability details

A vulnerability was determined in Wavlink WL-NU516U1 V240425. This affects the function sub_405AF4 of the file /cgi-bin/adm.cgi of the component OTA Online Upgrade. This manipulation of the argument firmware_url causes command injection. It is possible to initiate the attack remotely.…

more

The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in public-facing /cgi-bin/adm.cgi OTA component enables remote authenticated RCE via firmware_url manipulation on embedded Linux firmware, directly mapping to T1190 (public app exploitation) and T1059.004 (Unix shell command execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3661Same product: Wavlink Wl-Nu516U1
CVE-2026-2615Same product: Wavlink Wl-Nu516U1
CVE-2026-3662Same product: Wavlink Wl-Nu516U1
CVE-2026-8191Same product: Wavlink Wl-Nu516U1
CVE-2026-8227Same product: Wavlink Wl-Nu516U1
CVE-2026-8190Same product: Wavlink Wl-Nu516U1
CVE-2026-8188Same product: Wavlink Wl-Nu516U1
CVE-2026-8192Same product: Wavlink Wl-Nu516U1
CVE-2026-8228Same product: Wavlink Wl-Nu516U1
CVE-2026-8189Same product: Wavlink Wl-Nu516U1

Affected Assets

wavlink
wl-nu516u1 firmware
m16u1_v240425

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of the firmware_url argument before it is processed by sub_405AF4, directly blocking command injection.

prevent

Restricts the high-privilege accounts that can reach /cgi-bin/adm.cgi OTA functions, reducing the population able to supply a malicious firmware_url.

prevent

Enforces access restrictions and authorization checks on configuration changes such as firmware upgrades, limiting who can invoke the vulnerable code path.

References