CVE-2025-10959
published 2025-09-25CVE-2025-10959: A vulnerability has been found in Wavlink NU516U1 M16U1_V240425. The affected element is the function sub_401778 of the file /cgi-bin/firewall.cgi. Such…
PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
6.61%
93.0th percentile
A vulnerability has been found in Wavlink NU516U1 M16U1_V240425. The affected element is the function sub_401778 of the file /cgi-bin/firewall.cgi. Such manipulation of the argument dmz_flag leads to command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wavlink | nu516u1 | — | — |
| wavlink | wl-nu516u1_firmware | — | — |
| wavlink | wl-nu516u1_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/cgi-bin/firewall.cgi
urlhttps://lafdrew.github.io/2025/03/31/Remote-Command-Execution-in-firewall-cgi-of-wavlink-WL-WN579A3-Device/
urlhttps://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DMZ.md#poc
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wavlink firewall.cgi Multiple Parameters Command Injection Attempt (CVE-2025-10963, CVE-2025-10959)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/cgi-bin/firewall.cgi"; fast_pattern; http.request_body; pcre:"/(?:del|dmz)_flag\x3d.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(\x26{2}|%26%26))+/"; reference:url,lafdrew.github.io/2025/03/31/Remote-Command-Execution-in-firewall-cgi-of-wavlink-WL-WN579A3-Device/; reference:url,github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DMZ.md#poc; reference:cve,2025-10963; reference:cve,2025-10959; classtype:attempted-admin; sid:2062392; rev:2; metadata:affected_product Wavlink, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_05_15, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_09_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Target HTTP POST requests to /cgi-bin/firewall.cgi with URI length of exactly 21 bytes.
- →Inspect HTTP request body for del_flag or dmz_flag parameters containing shell metacharacters (semicolon, newline, backtick, pipe, dollar sign, double-ampersand) in plain or URL-encoded form.
- →The vulnerability resides in function sub_405B2C of /cgi-bin/firewall.cgi on Wavlink NU516U1 firmware 251208; focus analysis on that binary function for command injection via manipulated parameters. ↗
- →Traffic is expected in plaintext (non-TLS); deploy the detection rule at the network perimeter and internally.
- →Map detections to MITRE ATT&CK T1190 (Exploit Public-Facing Application) under tactic TA0001 (Initial Access).
- ·CVE-2025-10959 is described as an incomplete fix; a bypass (tracked as CVE-2026-3704) exists in the same function sub_405B2C, meaning patching CVE-2025-10959 alone may not fully remediate the attack surface. ↗
- ·The Snort/Suricata rule (sid:2062392 rev:2) covers both CVE-2025-10963 and CVE-2025-10959 simultaneously; tuning or suppression of one CVE should not inadvertently disable coverage for the other.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v25j-jp29-j537: A vulnerability has been found in Wavlink NU516U1 251208
ghsa_unreviewed·2026-03-08·CVSS 5.3
CVE-2026-3704 [MEDIUM] CWE-74 GHSA-v25j-jp29-j537: A vulnerability has been found in Wavlink NU516U1 251208
A vulnerability has been found in Wavlink NU516U1 251208. This vulnerability affects the function sub_405B2C of the file /cgi-bin/firewall.cgi of the component Incomplete Fix CVE-2025-10959. The manipulation leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
GHSA
GHSA-5rc4-jf69-p5ff: A vulnerability has been found in Wavlink NU516U1 M16U1_V240425
ghsa_unreviewed·2025-09-25
CVE-2025-10959 [MEDIUM] CWE-74 GHSA-5rc4-jf69-p5ff: A vulnerability has been found in Wavlink NU516U1 M16U1_V240425
A vulnerability has been found in Wavlink NU516U1 M16U1_V240425. The affected element is the function sub_401778 of the file /cgi-bin/firewall.cgi. Such manipulation of the argument dmz_flag leads to command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Suricata
ET WEB_SPECIFIC_APPS Wavlink firewall.cgi Multiple Parameters Command Injection Attempt (CVE-2025-10963, CVE-2025-10959)
suricata·2025-05-15·CVSS 5.3
CVE-2025-10963 [MEDIUM] ET WEB_SPECIFIC_APPS Wavlink firewall.cgi Multiple Parameters Command Injection Attempt (CVE-2025-10963, CVE-2025-10959)
ET WEB_SPECIFIC_APPS Wavlink firewall.cgi Multiple Parameters Command Injection Attempt (CVE-2025-10963, CVE-2025-10959)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wavlink firewall.cgi Multiple Parameters Command Injection Attempt (CVE-2025-10963, CVE-2025-10959)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/cgi-bin/firewall.cgi"; fast_pattern; http.request_body; pcre:"/(?:del|dmz)_flag\x3d.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(\x26{2}|%26%26))+/"; reference:url,lafdrew.github.io/2025/03/31/Remote-Command-Execution-in-firewall-cgi-of-wavlink-WL-WN579A3-Device/; reference:url,github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DMZ.md#poc; reference:cve,2025-10963; reference:cve
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DMZ.mdhttps://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DMZ.md#pochttps://vuldb.com/?ctiid.325827https://vuldb.com/?id.325827https://vuldb.com/?submit.652769https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DMZ.mdhttps://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DMZ.md#poc
2025-09-25
Published