CVE-2026-3612 PUBLISHED

A vulnerability was determined in Wavlink WL-NU516U1 V240425. This affects the function sub_405AF4 of the file /cgi-bin/adm.cgi of the component OTA Online Upgrade. This manipulation of the argument firmware_url causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.

• haimianbaobao (VulDB User) reporter
• VulDB coordinator

• VDB-349220 | Wavlink WL-NU516U1 OTA Online Upgrade adm.cgi sub_405AF4 command injection
• VDB-349220 | CTI Indicators (IOB, IOC, TTP, IOA)
• Submit #754668 | Wavlink NU516U1 V240425 Command Injection
• https://github.com/Wlz1112/WAVLINK-NU516-V240425/blob/main/firmware_url.md

• Command Injection CWE
• Injection CWE