| tiêu đề | Wavlink NU516U1 V251208 Command Injection |
|---|
| Mô tả | # A remote command execution vulnerability exists in the `singlePortForwardDelete` function of the `firewall.cgi` component in the Wavlink NU516U1 (V251208) software.
### Overview
Supplier: Wavlink
Product: NU516U1 Version: WAVLINK-NU516U1-A-WO-20251208-BYFM
Type: command injection
### **Vulnerability description:**
A command injection vulnerability exists in the `/cgi-bin/firewall.cgi` component in Wavlink NU516U1 router firmware (version M16U1_V251208). The vulnerability is located in the **`sub_4016D0`** function that handles the **Port Forward Delete (singlePortForwardDelete)** functionality. When processing the `del_flag` parameter, the manufacturer calls the filter function `sub_405B2C` to check the user input. Although this function attempts to prevent command injection through a blacklist mechanism, its implementation is not rigorous and misses the key command delimiter semicolon (`;`). An authenticated remote attacker can bypass input validation by constructing a malicious **`del_flag`** parameter containing a semicolon, and use the `sprintf` function to splice arbitrary shell commands into a system call for execution, thereby taking full control of the device with root privileges. |
|---|
| Nguồn | ⚠️ https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/singlePortForwardDelete.md |
|---|
| Người dùng | haimianbaobao (UID 94979) |
|---|
| Đệ trình | 03/02/2026 13:17 (cách đây 4 các tháng) |
|---|
| Kiểm duyệt | 17/02/2026 07:53 (14 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 346265 [Wavlink WL-NU516U1 đến 20251208 /cgi-bin/firewall.cgi singlePortForwardDelete del_flag nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|