CVE-2026-3612 | Wavlink WL-NU516U1 V240425 OTA Online Upgrade /cgi-bin/adm.cgi sub_405AF4 firmware_url command injection

Inserito da Angelo Barbosa | Mar 5, 2026 | CVE

A vulnerability has been found in Wavlink WL-NU516U1 V240425 and classified as critical. This affects the function sub_405AF4 of the file /cgi-bin/adm.cgi of the component OTA Online Upgrade. This manipulation of the argument firmware_url causes command injection.

The identification of this vulnerability is CVE-2026-3612. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

The vendor was contacted early about this disclosure.

CVE-2026-3612 | Wavlink WL-NU516U1 V240425 OTA Online Upgrade /cgi-bin/adm.cgi sub_405AF4 firmware_url command injection

Post correlati

CVE-2024-42172 | HCL DRYiCE MyXalytics 6.3 improper authentication (KB0118149)

CVE-2024-4976 | Xpdf up to 4.05 AcroForm Field Reference out-of-bounds write

CVE-2025-0630 | Western Telematic Network Power Switch NPS up to 6.62 Web Interface file inclusion (icsa-25-035-01)

CVE-2024-29122 | Foliovision FV Flowplayer Video Player Plugin up to 7.5.41.7212 on WordPress cross site scripting