CVE-2025-10963 is a command injection vulnerability identified in the Wavlink NU516U1 router, specifically in the firmware version M16U1_V240425. The flaw exists in the function sub_4016F0 within the /cgi-bin/firewall.cgi script. An attacker can manipulate the 'del_flag' argument to inject arbitrary commands, which the system executes. This vulnerability is remotely exploitable without requiring user interaction or prior authentication, making it particularly dangerous. The CVSS 4.0 base score is 5.3, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L), and no user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L). The vendor, Wavlink, was notified early but has not responded or released a patch, and no known exploits are currently observed in the wild. The public disclosure and availability of exploit details increase the risk of exploitation, especially on unpatched devices. The vulnerability affects a widely used consumer and small business router model, which typically manages network traffic and firewall rules, making successful exploitation potentially impactful for network security and device control.

For European organizations, especially small and medium enterprises (SMEs) and home office users relying on Wavlink NU516U1 routers, this vulnerability poses a significant risk. Successful exploitation could allow attackers to execute arbitrary commands on the router, potentially leading to network compromise, interception or redirection of traffic, and disruption of network services. This could facilitate further attacks such as lateral movement, data exfiltration, or launching attacks against internal systems. The lack of vendor response and patch availability increases exposure time. Given the router’s role in perimeter defense, exploitation could undermine network integrity and availability, affecting business continuity. Critical infrastructure operators using these devices in less secure environments may also be at risk. The medium severity rating suggests moderate impact, but the ease of remote exploitation without authentication elevates the threat level. Organizations with limited IT security resources may be particularly vulnerable to exploitation and subsequent damage.

Organizations should immediately identify and inventory all Wavlink NU516U1 devices running firmware version M16U1_V240425. Until a vendor patch is available, mitigation should focus on network-level controls: restrict remote access to the router’s management interface by implementing IP whitelisting or VPN access only; disable remote management features if not required; monitor network traffic for unusual activity targeting /cgi-bin/firewall.cgi or suspicious command injection patterns; employ intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect exploitation attempts; segment networks to limit the impact of a compromised router; and consider replacing vulnerable devices with models from vendors with active security support. Additionally, organizations should maintain rigorous backup and recovery procedures to restore network devices if compromised. Regularly check for vendor updates or community patches and apply them promptly once available.