Wavlink NU516U1 Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in the Wavlink NU516U1 USB Network Printer Server, specifically in the M16U1_V240425 firmware. The issue arises in the 'wzdap' function of the '/cgi-bin/adm.cgi' file, where the 'EncrypType' and 'wl_Pass' arguments can be manipulated by an attacker to execute arbitrary operating system commands. This vulnerability can be exploited remotely, and a proof-of-concept exploit has been made public.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/adm.cgi' with the 'page' parameter set to 'wzdap'. Include the 'EncrypType' parameter with a crafted value that includes the desired command, such as 'telnetd -l /bin/sh -p 8892'. The 'wl_Pass' parameter can be left empty. Once the request is sent, the device will execute the injected command, such as starting a telnet server on port 8892, providing a shell access.