| शीर्षक | Wavlink NU516U1 V251208) Command Injection |
|---|
| विवरण | # The DMZ function of Wavlink NU516U1 (V251208) firewall.cgi component has a remote command execution vulnerability.
### Overview
Supplier: Wavlink
Product: NU516U1 Version: WAVLINK-NU516U1-A-WO-20251208-BYFM
Type: command injection
### Vulnerability description
A command injection vulnerability exists in the `/cgi-bin/firewall.cgi` component in Wavlink NU516U1 router firmware (version M16U1_V251208). The vulnerability is located in the `sub_4017F0` function that handles DMZ settings. Although the manufacturer introduced the filtering function `sub_405B2C` in an attempt to fix the vulnerability of the old version (M16U1_V240425), the blacklist filtering mechanism is not rigorous and misses the key command delimiter semicolon (`;`). An authenticated remote attacker can bypass input validation by constructing a malicious `dmz_flag` parameter containing a semicolon, and use the `sprintf` function to splice arbitrary shell commands into a system call for execution, thereby taking full control of the device with root privileges. |
|---|
| स्रोत | ⚠️ https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/wavlink_DMZ.md |
|---|
| उपयोगकर्ता | haimianbaobao (UID 94979) |
|---|
| सबमिशन | 03/02/2026 01:15 PM (4 महीनों पहले) |
|---|
| संयम | 15/02/2026 08:35 PM (12 days later) |
|---|
| स्थिति | प्रतिलिपि |
|---|
| VulDB प्रविष्टि | 325827 [Wavlink NU516U1 M16U1_V240425 /cgi-bin/firewall.cgi sub_401778 dmz_flag अधिकार वृद्धि] |
|---|
| अंक | 0 |
|---|