Wavlink NU516U1 Command Injection Vulnerability in Firewall Component

A command injection vulnerability has been identified in the Wavlink NU516U1 router, specifically in the 251208 firmware version. This issue arises in the 'firewall.cgi' component, within the 'sub_405B2C' function, which was intended to filter user input for the 'dmz_flag' parameter. However, the filter is flawed, as it fails to block the semicolon character, allowing authenticated remote attackers to inject arbitrary commands that are executed with root privileges. This vulnerability is a patch bypass of CVE-2025-10959, as the same parameter was previously exploited in an unfiltered state.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, with root privileges.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the '/cgi-bin/firewall.cgi' endpoint. The request must include a 'dmz_flag' parameter with a value that contains a semicolon followed by a command, such as 'touch /tmp/pwned_success'. Once the request is processed, the injected command will be executed on the device, demonstrating successful exploitation.

Remediation

Users are advised to upgrade to the latest version of the Wavlink NU516U1 firmware, which is available on the Wavlink Firmware Download page.