CVE-2025-10964 is a command injection vulnerability found in the Wavlink NU516U1 router, specifically in the /cgi-bin/firewall.cgi script within the function sub_401B30. The vulnerability arises from improper sanitization or validation of the 'remoteManagementEnabled' argument, which an attacker can manipulate to inject arbitrary commands. This flaw allows remote attackers to execute commands on the device without requiring authentication or user interaction, leveraging network access to the device's management interface. The vulnerability has a CVSS 4.0 base score of 5.3, indicating a medium severity level, with characteristics including network attack vector, low attack complexity, no privileges or user interaction required, and partial impact on confidentiality, integrity, and availability. The vendor, Wavlink, has not responded to disclosure attempts, and no patches or mitigations have been officially released. Although no known exploits are reported in the wild yet, public exploit code is available, increasing the risk of exploitation. The vulnerability affects all versions of the NU516U1 model, which is a consumer-grade router commonly used in small office and home environments. Exploitation could lead to unauthorized command execution, potentially allowing attackers to alter device configurations, intercept or redirect network traffic, or use the device as a foothold for further network compromise.

For European organizations, especially small and medium enterprises (SMEs) and home office users relying on the Wavlink NU516U1 router, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access to internal networks, data interception, or lateral movement within corporate environments. Given the router's role as a gateway device, compromise could undermine network confidentiality and integrity, enabling attackers to manipulate firewall rules or redirect traffic to malicious endpoints. The lack of vendor response and patches increases exposure duration, heightening risk. Critical infrastructure or organizations with remote management enabled on these devices are particularly vulnerable. Additionally, the public availability of exploit code lowers the barrier for attackers, potentially increasing targeted attacks against European entities using this hardware. The medium severity rating suggests moderate impact, but the ease of exploitation and network-level access elevate the threat level in practice.

Organizations should immediately audit their network environments to identify the presence of Wavlink NU516U1 devices. If found, disable remote management features to reduce exposure. Network segmentation should be enforced to isolate vulnerable devices from critical systems. Employ strict firewall rules to restrict access to router management interfaces to trusted IP addresses only. Monitor network traffic for unusual activity indicative of exploitation attempts. Where possible, replace affected devices with models from vendors providing timely security updates. In the absence of official patches, consider deploying network intrusion detection/prevention systems (IDS/IPS) with signatures targeting known exploit patterns for this vulnerability. Regularly update device firmware if future patches become available and maintain close communication with Wavlink for security advisories. Additionally, educate users on the risks of enabling remote management without proper safeguards.