PatchSiren cyber security CVE debrief
CVE-2026-8189 Vuldb CVE debrief
CVE-2026-8189 describes a command-injection flaw in the Wavlink NU516U1 M16U1_V240425 web management CGI path. The issue is reported in the wzdrepeater function of /cgi-bin/adm.cgi, where manipulation of the wlan_bssid, sel_Automode, and sel_EncrypTyp arguments can lead to OS command injection. The supplied disclosure says the attack can be launched remotely and that exploit details have been made public. Although the CVSS score is low, the combination of remote reachability, command injection, and public exploit availability makes this worth prompt defensive review.
- Vendor
- Vuldb
- Product
- Unknown
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-09
- Original CVE updated
- 2026-05-09
- Advisory published
- 2026-05-09
- Advisory updated
- 2026-05-09
Who should care
Administrators and security teams responsible for Wavlink NU516U1 M16U1_V240425 devices, especially if the web management interface is reachable from untrusted networks or the internet. MSPs and network teams managing embedded/consumer networking gear should also review exposure.
Technical summary
The source corpus ties the vulnerability to the wzdrepeater function in /cgi-bin/adm.cgi on Wavlink NU516U1 M16U1_V240425. According to the supplied description, crafted values for wlan_bssid, sel_Automode, and sel_EncrypTyp can trigger OS command injection. The weakness mapping in the record lists CWE-77 and CWE-78. The supplied CVSS v4 vector indicates a network-reachable issue with low privileges and no user interaction (AV:N/AC:L/AT:N/PR:L/UI:N), with low impact ratings. In practical terms, this is a remotely reachable management-plane injection issue that should be treated as higher risk where the device is exposed or where a public proof-of-concept is available.
Defensive priority
Medium-high: the published CVSS score is low, but remote command injection and public exploit availability justify prompt mitigation, especially for any exposed management interface.
Recommended defensive actions
- Update to a vendor-fixed firmware version for Wavlink NU516U1 M16U1_V240425 if one is available.
- Restrict access to the device management interface and /cgi-bin/adm.cgi to trusted admin networks or a VPN; do not expose it to the internet.
- Review logs for suspicious requests involving wzdrepeater or the parameters wlan_bssid, sel_Automode, and sel_EncrypTyp.
- If patching is not immediately possible, isolate the device from untrusted networks and reduce management exposure as much as possible.
- If compromise is suspected, review and reset administrative credentials and rebuild trust in the device before returning it to service.
Evidence notes
The NVD source item marks the CVE as Received and includes CNA-provided references to VulDB pages plus a GitHub markdown write-up. The CNA description states that manipulating wlan_bssid, sel_Automode, and sel_EncrypTyp in /cgi-bin/adm.cgi's wzdrepeater function results in OS command injection, that the attack is remotely launchable, and that exploit details were made public. The supplied CVSS v4 vector shows AV:N/AC:L/AT:N/PR:L/UI:N and low impact ratings. The record also maps the issue to CWE-77 and CWE-78. No additional validation of exploitability or affected deployment scope was performed here beyond the supplied corpus.
Official resources
The supplied source data places publication on 2026-05-09 and states that the vendor was contacted early. The disclosure also says exploit details were made public, so defenders should assume the issue is already in circulation.