A flaw has been found in Wavlink NU516U1 251208. This affects the function sub_401A10 of the file /cgi-bin/login.cgi. Executing a manipulation of the argument ipaddr can lead to out-of-bounds write.
The attack may be performed from remote. The exploit has been published and may be used. Upgrading the affected component is recommended.
The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v4.0
Weakness Type (CWE)
References 6
https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U1-WO-A-2026-02-27-2fcf6ae-mt76…
cna@vuldb.com
https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/ipaddr.md
cna@vuldb.com
https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/ipaddr.md#exp-exp…
cna@vuldb.com
https://vuldb.com/?ctiid.349649
cna@vuldb.com
https://vuldb.com/?id.349649
cna@vuldb.com
https://vuldb.com/?submit.759226
cna@vuldb.com