Wavlink NU516U1 Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in the Wavlink NU516U1 router, specifically in the OTA online upgrade feature of the firmware version V240425. The issue arises in the '/cgi-bin/adm.cgi' component, within the 'sub_405AF4' function. The vulnerability allows authenticated remote attackers to execute arbitrary system commands by manipulating the 'firmware_url' parameter. This exploitation bypasses existing security measures and grants full root access to the device.

Impact

Exploitation of this vulnerability leads to unauthorized command execution with root privileges on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to '/cgi-bin/adm.cgi' with the 'page' parameter set to 'ota_new_upgrade'. The 'firmware_url' parameter should be crafted to include shell command substitution, such as using '$()' or backticks, to inject a command that will be executed on the system.