CVE-2025-9149
published 2025-08-19CVE-2025-9149: A vulnerability was determined in Wavlink WL-NU516U1 M16U1_V240425. This impacts the function sub_4032E4 of the file /cgi-bin/wireless.cgi. This manipulation…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.60%
91.9th percentile
A vulnerability was determined in Wavlink WL-NU516U1 M16U1_V240425. This impacts the function sub_4032E4 of the file /cgi-bin/wireless.cgi. This manipulation of the argument Guest_ssid causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wavlink | wl-nu516u1 | — | — |
| wavlink | wl-nu516u1_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /cgi-bin/wireless.cgi with a URI bsize of exactly 21 bytes, combined with command injection shell metacharacters (;, newline, backtick, pipe, $) in the Guest_ssid, macAddr, or delete_list body parameters — both raw and URL-encoded forms.
- →The injection vector is the Guest_ssid argument passed to function sub_4032E4 in wireless.cgi; monitor for shell metacharacters in this POST body parameter specifically. ↗
- →Public exploit PoC is available; treat any matching traffic as high-confidence exploitation attempt (classtype: attempted-admin, confidence: High). ↗
- →Traffic is expected over plaintext HTTP (tls_state: plaintext); focus perimeter and internal network monitoring accordingly.
- ·The Snort/ET rule covers four CVEs sharing the same endpoint and parameters (CVE-2025-9149, CVE-2025-10958, CVE-2025-10960, CVE-2025-10961); a match does not exclusively confirm CVE-2025-9149 — correlate with the specific parameter (Guest_ssid for this CVE) to triage accurately.
- ·Affected firmware version is M16U1_V240425 on Wavlink WL-NU516U1; scope detection to devices running this specific firmware build. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Wavlink wireless.cgi Multiple Parameters Command Injection Attempt (CVE-2025-9149, CVE-2025-10958, CVE-2025-10960, CVE-2025-10961)
suricata·2025-08-21·CVSS 5.3
CVE-2025-9149 [MEDIUM] ET WEB_SPECIFIC_APPS Wavlink wireless.cgi Multiple Parameters Command Injection Attempt (CVE-2025-9149, CVE-2025-10958, CVE-2025-10960, CVE-2025-10961)
ET WEB_SPECIFIC_APPS Wavlink wireless.cgi Multiple Parameters Command Injection Attempt (CVE-2025-9149, CVE-2025-10958, CVE-2025-10960, CVE-2025-10961)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wavlink wireless.cgi Multiple Parameters Command Injection Attempt (CVE-2025-9149, CVE-2025-10958, CVE-2025-10960, CVE-2025-10961)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/cgi-bin/wireless.cgi"; fast_pattern; http.request_body; pcre:"/(?:Guest_ssid|macAddr|delete_list)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,github.com/lin-3-start/lin-cve/blob/main/Wavlink-English/Wavlink.md; reference:cve,2025-9149; reference:cve,2025-10958; reference:cve,2025-10961; refere
No public exploits indexed.
No writeups or analysis indexed.
2025-08-19
Published