CVE-2025-10958
published 2025-09-25CVE-2025-10958: A flaw has been found in Wavlink NU516U1 M16U1_V240425. Impacted is the function sub_403010 of the file /cgi-bin/wireless.cgi of the component AddMac Page…
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
6.81%
93.2th percentile
A flaw has been found in Wavlink NU516U1 M16U1_V240425. Impacted is the function sub_403010 of the file /cgi-bin/wireless.cgi of the component AddMac Page. This manipulation of the argument macAddr causes command injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wavlink | nu516u1 | — | — |
| wavlink | wl-nu516u1_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/lin-3-start/lin-cve/blob/main/Wavlink-English/Wavlink.md
urlhttps://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/Delete_Mac_list.md
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wavlink wireless.cgi Multiple Parameters Command Injection Attempt (CVE-2025-9149, CVE-2025-10958, CVE-2025-10960, CVE-2025-10961)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/cgi-bin/wireless.cgi"; fast_pattern; http.request_body; pcre:"/(?:Guest_ssid|macAddr|delete_list)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,github.com/lin-3-start/lin-cve/blob/main/Wavlink-English/Wavlink.md; reference:cve,2025-9149; reference:cve,2025-10958; reference:cve,2025-10961; reference:url,github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/Delete_Mac_list.md; reference:cve,2025-10960; classtype:attempted-admin; sid:2064097; rev:2; metadata:affected_product Wavlink, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_08_21, cve CVE_2025_9149, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_09_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Target the vulnerable endpoint with HTTP POST method; match URI exactly '/cgi-bin/wireless.cgi' with a body size of 21 bytes for the URI component.
- →Inspect HTTP POST body for the vulnerable parameters (macAddr, Guest_ssid, delete_list) followed by shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24) — URL-encoded or literal.
- →The injection point is the 'macAddr' argument on the AddMac Page, handled by function sub_403010 in /cgi-bin/wireless.cgi. Focus analysis on that parameter for command injection payloads. ↗
- →Traffic is expected in plaintext (not TLS); deploy detection at perimeter and internal network boundaries.
- ·The Snort/Suricata rule (sid:2064097) covers four CVEs simultaneously (CVE-2025-9149, CVE-2025-10958, CVE-2025-10960, CVE-2025-10961); a match does not isolate CVE-2025-10958 alone — correlate with the specific 'macAddr' parameter to narrow attribution.
- ·The vendor (Wavlink) was contacted early about this disclosure but did not respond; no official patch is confirmed, so detection/blocking controls are the primary mitigation. ↗
- ·Affected device is specifically Wavlink NU516U1 firmware M16U1_V240425; scope detection to that device model/firmware to reduce false positives. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Wavlink wireless.cgi Multiple Parameters Command Injection Attempt (CVE-2025-9149, CVE-2025-10958, CVE-2025-10960, CVE-2025-10961)
suricata·2025-08-21·CVSS 5.3
CVE-2025-9149 [MEDIUM] ET WEB_SPECIFIC_APPS Wavlink wireless.cgi Multiple Parameters Command Injection Attempt (CVE-2025-9149, CVE-2025-10958, CVE-2025-10960, CVE-2025-10961)
ET WEB_SPECIFIC_APPS Wavlink wireless.cgi Multiple Parameters Command Injection Attempt (CVE-2025-9149, CVE-2025-10958, CVE-2025-10960, CVE-2025-10961)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wavlink wireless.cgi Multiple Parameters Command Injection Attempt (CVE-2025-9149, CVE-2025-10958, CVE-2025-10960, CVE-2025-10961)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/cgi-bin/wireless.cgi"; fast_pattern; http.request_body; pcre:"/(?:Guest_ssid|macAddr|delete_list)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,github.com/lin-3-start/lin-cve/blob/main/Wavlink-English/Wavlink.md; reference:cve,2025-9149; reference:cve,2025-10958; reference:cve,2025-10961; refere
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/AddMac.mdhttps://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/AddMac.md#pochttps://vuldb.com/?ctiid.325826https://vuldb.com/?id.325826https://vuldb.com/?submit.652768https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/AddMac.mdhttps://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/AddMac.md#poc
2025-09-25
Published