CVE-2025-10958 is a command injection vulnerability identified in the Wavlink NU516U1 router, specifically in firmware version M16U1_V240425. The flaw resides in the /cgi-bin/wireless.cgi endpoint within the AddMac Page component, particularly in the function sub_403010. The vulnerability is triggered by manipulation of the macAddr argument, which is not properly sanitized, allowing an attacker to inject arbitrary commands that the system executes. This vulnerability is remotely exploitable without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The CVSS score of 5.3 (medium severity) reflects that while the attack complexity is low and no user interaction is needed, some privileges are required (PR:L). The impact on confidentiality, integrity, and availability is low to limited, but successful exploitation could allow an attacker to execute arbitrary commands on the device, potentially leading to unauthorized control, data leakage, or disruption of network services. The vendor has not responded to the disclosure, and no patches or mitigations have been published yet. Although no known exploits are currently reported in the wild, the public availability of the exploit code increases the risk of exploitation. This vulnerability affects a specific firmware version, so devices running other versions may not be vulnerable. The attack surface is the router's web management interface, which is typically accessible within local networks but may be exposed externally if remote management is enabled or if the device is misconfigured.

For European organizations, this vulnerability poses a moderate risk, especially for those deploying Wavlink NU516U1 routers with the affected firmware. Exploitation could lead to unauthorized command execution on network routers, potentially allowing attackers to manipulate network traffic, intercept sensitive data, or disrupt connectivity. This is particularly concerning for small and medium enterprises or branch offices that rely on these routers for internet access and may lack robust network segmentation or monitoring. The lack of vendor response and absence of patches increases the window of exposure. If exploited, attackers could pivot from the compromised router to internal systems, undermining confidentiality and integrity of organizational data. Additionally, disruption of network availability could impact business operations. Given the router's typical deployment in home offices or small business environments, the threat may extend to remote workers and teleworking setups common in Europe. The medium severity rating suggests that while the threat is not critical, it should not be ignored, especially in environments where these devices are integral to network infrastructure.

1. Immediate mitigation should include disabling remote management interfaces on the affected routers to reduce exposure to external attacks. 2. Network administrators should restrict access to the router's web interface to trusted internal IP addresses only, using firewall rules or access control lists. 3. Monitor network traffic for unusual command execution patterns or unexpected outbound connections originating from the router. 4. If possible, downgrade or upgrade the firmware to a version not affected by this vulnerability, although no official patches are currently available; contacting Wavlink support for guidance is advisable. 5. Implement network segmentation to isolate vulnerable devices from critical systems, limiting potential lateral movement. 6. Employ intrusion detection/prevention systems (IDS/IPS) to detect exploitation attempts targeting the /cgi-bin/wireless.cgi endpoint. 7. Educate users and administrators about the risks of exposing router management interfaces and the importance of strong administrative credentials. 8. Plan for replacement of affected hardware if no firmware update is forthcoming, especially in high-risk environments.