CVE-2025-10960 is a command injection vulnerability identified in the Wavlink NU516U1 router, specifically in the M16U1_V240425 firmware version. The vulnerability exists in the function sub_402D1C within the /cgi-bin/wireless.cgi component, which handles the DeleteMac Page functionality. The flaw arises from improper sanitization or validation of the 'delete_list' argument, allowing an attacker to inject arbitrary commands that the system executes. This vulnerability is remotely exploitable without requiring user interaction or authentication, making it particularly dangerous. The public availability of an exploit increases the risk of exploitation. The vendor has been notified but has not responded or issued a patch, leaving affected devices exposed. The CVSS 4.0 base score is 5.3, reflecting a medium severity level, with a vector indicating network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. The vulnerability could allow attackers to execute arbitrary commands on the device, potentially leading to device compromise, network pivoting, or disruption of network services.

For European organizations, this vulnerability poses a significant risk, especially for those using Wavlink NU516U1 routers in their network infrastructure. Successful exploitation could allow attackers to gain control over the router, leading to interception or manipulation of network traffic, unauthorized access to internal resources, or disruption of connectivity. This could impact confidentiality by exposing sensitive data, integrity by altering network configurations or data flows, and availability by causing denial of service. Given the router's role as a network gateway, compromise could facilitate lateral movement within corporate networks or serve as a foothold for further attacks. The lack of vendor response and patch availability increases the window of exposure. Organizations with remote or distributed offices relying on these devices are particularly vulnerable. Additionally, the public exploit availability raises the likelihood of opportunistic attacks targeting unpatched devices across Europe.

Organizations should immediately inventory their network devices to identify any Wavlink NU516U1 routers running the vulnerable firmware version M16U1_V240425. Until a vendor patch is available, network administrators should implement compensating controls such as restricting access to the router's management interface to trusted IP addresses only, preferably via VPN or internal network segments. Disabling remote management features and the affected DeleteMac functionality, if possible, can reduce attack surface. Network-level protections like intrusion detection/prevention systems (IDS/IPS) should be configured to detect and block suspicious command injection patterns targeting the /cgi-bin/wireless.cgi endpoint. Regular monitoring of router logs for unusual commands or access attempts is advised. Organizations should engage with Wavlink support channels to seek updates or patches and consider replacing vulnerable devices if no remediation is forthcoming. Additionally, segmenting critical network assets behind more secure firewalls can limit potential damage from compromised routers.