CVE-2025-10959 is a command injection vulnerability identified in the Wavlink NU516U1 router, specifically in firmware version M16U1_V240425. The vulnerability resides in the function sub_401778 within the /cgi-bin/firewall.cgi script. The flaw is triggered by improper sanitization of the 'dmz_flag' parameter, which an attacker can manipulate to inject arbitrary commands. This vulnerability allows remote attackers to execute commands on the device without requiring authentication or user interaction, as the attack vector is network accessible (AV:N) and has low attack complexity (AC:L). The vulnerability impacts confidentiality, integrity, and availability due to the potential for arbitrary command execution, which could lead to device takeover, network pivoting, or denial of service. The CVSS 4.0 base score is 5.3 (medium severity), reflecting limited scope and partial impact on confidentiality, integrity, and availability. The vendor has been contacted but has not responded or issued a patch, and no known exploits are currently reported in the wild, although public exploit details have been disclosed. This increases the risk of exploitation by opportunistic attackers. The vulnerability affects a specific firmware version, indicating that devices running this version are at risk. Given the nature of the vulnerability, exploitation could allow attackers to control the router, intercept or redirect traffic, or disrupt network services, which is particularly concerning for organizations relying on these devices for network perimeter security.

For European organizations, the impact of this vulnerability could be significant, especially for small and medium enterprises or branch offices that deploy Wavlink NU516U1 routers as part of their network infrastructure. Successful exploitation could lead to unauthorized access to internal networks, interception of sensitive data, or disruption of business operations through denial of service. Compromise of the router could also facilitate lateral movement within the network, increasing the risk of broader breaches. Given the remote and unauthenticated nature of the exploit, attackers could target these devices en masse, potentially affecting multiple organizations. The lack of vendor response and patch availability exacerbates the risk, as organizations may be forced to rely on mitigations rather than fixes. Additionally, the vulnerability could be leveraged in supply chain attacks or as a foothold in targeted campaigns against European entities, particularly those in sectors with high reliance on network security such as finance, healthcare, and critical infrastructure.

Organizations should immediately inventory their network devices to identify any Wavlink NU516U1 routers running the affected firmware version M16U1_V240425. In the absence of an official patch, the following mitigations are recommended: 1) Restrict access to the router's management interface by implementing network segmentation and firewall rules to limit access only to trusted administrative hosts. 2) Disable remote management features if not required, especially access to /cgi-bin/firewall.cgi or related CGI scripts. 3) Monitor network traffic for unusual command injection patterns or unexpected outbound connections originating from the router. 4) Consider replacing affected devices with alternative hardware from vendors with active security support if patching is not forthcoming. 5) Employ network intrusion detection systems (NIDS) with signatures for command injection attempts targeting Wavlink devices. 6) Regularly update network device inventories and maintain close communication with vendors for security advisories. 7) As a temporary measure, implement strict input validation proxies or web application firewalls (WAF) if feasible to filter malicious payloads targeting the vulnerable CGI endpoint.