cbcvebase.
CVE-2025-9149
published 2025-08-19

CVE-2025-9149: A vulnerability was determined in Wavlink WL-NU516U1 M16U1_V240425. This impacts the function sub_4032E4 of the file /cgi-bin/wireless.cgi. This manipulation…

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.60%
91.9th percentile
A vulnerability was determined in Wavlink WL-NU516U1 M16U1_V240425. This impacts the function sub_4032E4 of the file /cgi-bin/wireless.cgi. This manipulation of the argument Guest_ssid causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

Affected

2 ranges
VendorProductVersion rangeFixed in
wavlinkwl-nu516u1
wavlinkwl-nu516u1_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/wireless.cgi
  • Detect POST requests to /cgi-bin/wireless.cgi with a URI bsize of exactly 21 bytes, combined with command injection shell metacharacters (;, newline, backtick, pipe, $) in the Guest_ssid, macAddr, or delete_list body parameters — both raw and URL-encoded forms.
  • The injection vector is the Guest_ssid argument passed to function sub_4032E4 in wireless.cgi; monitor for shell metacharacters in this POST body parameter specifically.
  • Public exploit PoC is available; treat any matching traffic as high-confidence exploitation attempt (classtype: attempted-admin, confidence: High).
  • Traffic is expected over plaintext HTTP (tls_state: plaintext); focus perimeter and internal network monitoring accordingly.
  • ·The Snort/ET rule covers four CVEs sharing the same endpoint and parameters (CVE-2025-9149, CVE-2025-10958, CVE-2025-10960, CVE-2025-10961); a match does not exclusively confirm CVE-2025-9149 — correlate with the specific parameter (Guest_ssid for this CVE) to triage accurately.
  • ·Affected firmware version is M16U1_V240425 on Wavlink WL-NU516U1; scope detection to devices running this specific firmware build.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.