cbcvebase.
CVE-2025-10960
published 2025-09-25

CVE-2025-10960: A vulnerability was found in Wavlink NU516U1 M16U1_V240425. The impacted element is the function sub_402D1C of the file /cgi-bin/wireless.cgi of the component…

PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
6.81%
93.2th percentile
A vulnerability was found in Wavlink NU516U1 M16U1_V240425. The impacted element is the function sub_402D1C of the file /cgi-bin/wireless.cgi of the component DeleteMac Page. Performing manipulation of the argument delete_list results in command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
wavlinknu516u1
wavlinkwl-nu516u1_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/wireless.cgi
urlhttps://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/Delete_Mac_list.md
urlhttps://github.com/lin-3-start/lin-cve/blob/main/Wavlink-English/Wavlink.md
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wavlink wireless.cgi Multiple Parameters Command Injection Attempt (CVE-2025-9149, CVE-2025-10958, CVE-2025-10960, CVE-2025-10961)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/cgi-bin/wireless.cgi"; fast_pattern; http.request_body; pcre:"/(?:Guest_ssid|macAddr|delete_list)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,github.com/lin-3-start/lin-cve/blob/main/Wavlink-English/Wavlink.md; reference:cve,2025-9149; reference:cve,2025-10958; reference:cve,2025-10961; reference:url,github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/Delete_Mac_list.md; reference:cve,2025-10960; classtype:attempted-admin; sid:2064097; rev:2; metadata:affected_product Wavlink, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_08_21, cve CVE_2025_9149, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_09_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Target POST requests to /cgi-bin/wireless.cgi where the 'delete_list' parameter contains shell metacharacters (semicolon, newline, backtick, pipe, dollar sign) either raw or URL-encoded, indicating command injection attempts.
  • The vulnerable function is sub_402D1C in /cgi-bin/wireless.cgi on the DeleteMac Page; the injection vector is the 'delete_list' argument.
  • The attack is delivered remotely over plaintext HTTP via a POST request; deploy detection at the network perimeter and internally.
  • The exploit has been publicly disclosed; treat any POST to /cgi-bin/wireless.cgi with shell metacharacters in delete_list, macAddr, or Guest_ssid as high-confidence exploitation attempts.
  • ·The Snort/Suricata rule (sid:2064097) covers multiple CVEs sharing the same endpoint and parameter pattern (CVE-2025-9149, CVE-2025-10958, CVE-2025-10960, CVE-2025-10961); a match does not exclusively confirm CVE-2025-10960 without correlating the specific 'delete_list' parameter.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.