CVE-2026-8189
Published: 09 May 2026
Summary
CVE-2026-8189 is a low-severity Command Injection (CWE-77) vulnerability in Wavlink Wl-Nu516U1 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A vulnerability was found in Wavlink NU516U1 firmware version M16U1_V240425. The issue resides in the wzdrepeater function within /cgi-bin/adm.cgi, where manipulation of the wlan_bssid, sel_Automode, and sel_EncrypTyp arguments leads to operating system command injection. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 2.1 reflecting limited impact when exploited.
An authenticated remote attacker can supply crafted values to the affected parameters and execute arbitrary operating system commands on the device. Public exploit code has been released, enabling an attacker to achieve limited effects on confidentiality, integrity, and availability without requiring user interaction.
The EPSS score rose from a low of 0.0043 to a peak of 0.0106, indicating that exploitation interest increased after disclosure. The vendor was notified prior to publication, though no official patch or mitigation guidance appears in the referenced sources.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28916
Vulnerability details
A vulnerability was found in Wavlink NU516U1 M16U1_V240425. Affected by this vulnerability is the function wzdrepeater of the file /cgi-bin/adm.cgi. The manipulation of the argument wlan_bssid/sel_Automode/sel_EncrypTyp results in os command injection. It is possible to launch the attack remotely. The…
more
exploit has been made public and could be used. The vendor was contacted early about this disclosure.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) in remotely accessible /cgi-bin/adm.cgi directly enables exploitation of the public-facing web admin interface (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.