CVE-2026-3612
Published: 06 March 2026
Summary
CVE-2026-3612 is a high-severity Injection (CWE-74) vulnerability in Wavlink Wl-Nu516U1 Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-3612 is a command injection vulnerability in the Wavlink WL-NU516U1 firmware version V240425. It affects the sub_405AF4 function within the /cgi-bin/adm.cgi file of the OTA Online Upgrade component, where manipulation of the firmware_url argument enables command injection. The issue corresponds to CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited remotely by an authenticated attacker with high privileges, such as an administrator. Successful exploitation allows the attacker to execute arbitrary commands on the device, potentially leading to high-impact confidentiality, integrity, and availability compromises, including full device takeover.
Advisories from VulDB detail the vulnerability and note that the exploit has been publicly disclosed via a GitHub repository containing specifics on the firmware_url manipulation. The vendor was contacted early regarding disclosure, but no patch or mitigation details are specified in the available references. Security practitioners should review the linked resources, including https://github.com/Wlz1112/WAVLINK-NU516-V240425/blob/main/firmware_url.md and VulDB entries, for exploit details and monitor for vendor updates.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9964
Vulnerability details
A vulnerability was determined in Wavlink WL-NU516U1 V240425. This affects the function sub_405AF4 of the file /cgi-bin/adm.cgi of the component OTA Online Upgrade. This manipulation of the argument firmware_url causes command injection. It is possible to initiate the attack remotely.…
more
The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing /cgi-bin/adm.cgi OTA component enables remote authenticated RCE via firmware_url manipulation on embedded Linux firmware, directly mapping to T1190 (public app exploitation) and T1059.004 (Unix shell command execution).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of the firmware_url argument before it is processed by sub_405AF4, directly blocking command injection.
Restricts the high-privilege accounts that can reach /cgi-bin/adm.cgi OTA functions, reducing the population able to supply a malicious firmware_url.
Enforces access restrictions and authorization checks on configuration changes such as firmware upgrades, limiting who can invoke the vulnerable code path.