| Titel | Wavlink NU516U1 V251208 Command Injection |
|---|
| Beschreibung | # **[IMPORTANT NOTICE: Distinction from CVE-2025-10959 and Patch Bypass Explanation]**
This submission is **NOT a duplicate** of the previously disclosed CVE-2025-10959. Instead, it documents a clear **Patch Bypass (Incomplete Fix)** in the vendor's latest firmware.
In the older firmware (V240425) associated with CVE-2025-10959, the `dmz_flag` parameter was concatenated into system commands without *any* sanitization. In the newer firmware tested in this report (V251208), the vendor attempted to patch CVE-2025-10959 by **introducing a brand-new input filter function (`sub_405B2C`)**.
However, our reverse engineering reveals a critical logical flaw in this new patch: the blacklist filter successfully blocks characters like `|`, `&`, and `$`, but fatally **omits the semicolon (`;`) command separator**. This report specifically demonstrates how an attacker can exploit this newly introduced, flawed filter to bypass the vendor's security patch for CVE-2025-10959 using a semicolon injection. Because the underlying code logic has fundamentally changed (a flawed sanitization layer was added) and the exploit mechanics are different, this constitutes a distinct vulnerability resulting from an incomplete fix.
# A remote command execution vulnerability exists in the `singlePortForwardDelete` function of the `firewall.cgi` component in the Wavlink NU516U1 (V251208) software.
### Overview
Supplier: Wavlink
Product: NU516U1 Version: WAVLINK-NU516U1-A-WO-20251208-BYFM
Type: command injection
### **Vulnerability description:**
A command injection vulnerability exists in the `/cgi-bin/firewall.cgi` component in Wavlink NU516U1 router firmware (version M16U1_V251208). The vulnerability is located in the **`sub_4016D0`** function that handles the **Port Forward Delete (singlePortForwardDelete)** functionality. When processing the `del_flag` parameter, the manufacturer calls the filter function `sub_405B2C` to check the user input. Although this function attempts to prevent command injection through a blacklist mechanism, its implementation is not rigorous and misses the key command delimiter semicolon (`;`). An authenticated remote attacker can bypass input validation by constructing a malicious **`del_flag`** parameter containing a semicolon, and use the `sprintf` function to splice arbitrary shell commands into a system call for execution, thereby taking full control of the device with root privileges.
https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/wavlink_DMZ.md
|
|---|
| Quelle | ⚠️ https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/wavlink_DMZ.md |
|---|
| Benutzer | haimianbaobao (UID 94979) |
|---|
| Einreichung | 16.02.2026 15:31 (vor 2 Monaten) |
|---|
| Moderieren | 07.03.2026 09:56 (19 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 349650 [Wavlink NU516U1 251208 Incomplete Fix CVE-2025-10959 /cgi-bin/firewall.cgi sub_405B2C erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|