Wavlink NU516U1 Command Injection Vulnerability in Firewall CGI Port Forward Delete Function
Vulnerability
A command injection vulnerability has been identified in the Wavlink NU516U1 router, specifically in versions prior to 20251208. The issue resides in the 'singlePortForwardDelete' function within the '/cgi-bin/firewall.cgi' file. This vulnerability allows authenticated remote attackers to manipulate the 'del_flag' parameter, bypassing input validation and executing arbitrary commands on the device with root privileges. The flaw arises from a faulty input filtering mechanism that fails to properly sanitize the 'del_flag' parameter, leaving it open to exploitation.
Impact
Exploitation of this vulnerability allows for remote command execution on the affected device with root privileges.
Reproduction
To reproduce this vulnerability, send a POST request to '/cgi-bin/firewall.cgi' with the 'firewall' parameter set to 'singlePortForwardDelete' and the 'del_flag' parameter containing a crafted payload that includes a semicolon followed by the desired command. This request must be made with a valid session cookie to authenticate the attack.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.