CVE-2026-2567 is a stack-based buffer overflow vulnerability identified in the Wavlink WL-NU516U1 device, specifically in firmware version 20251208. The flaw exists in the function sub_401218 within the /cgi-bin/nas.cgi file, which processes the User1Passwd argument. By sending a specially crafted request manipulating this argument, an attacker can overflow the stack buffer, potentially overwriting the return address or other control data on the stack. This can lead to arbitrary code execution or denial of service. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, making it highly dangerous. The CVSS v4.0 score of 8.6 reflects its high severity, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability impacts confidentiality, integrity, and availability with high scope and impact. Although no known exploits are currently observed in the wild, the availability of exploit code increases the likelihood of future attacks. The affected product, Wavlink WL-NU516U1, is a network-attached storage device used in various environments, including home and small business networks. The lack of an official patch or mitigation guidance at the time of publication necessitates immediate risk management by affected users.

The impact of CVE-2026-2567 is significant for organizations and individuals using the Wavlink WL-NU516U1 device. Successful exploitation can lead to remote code execution, allowing attackers to take full control of the device. This can result in unauthorized access to sensitive data stored on the device, disruption of network-attached storage services, and potential pivoting to other internal network resources. The compromise of these devices could facilitate data theft, ransomware deployment, or use as a foothold for broader network attacks. Given the device’s role in network storage, confidentiality and integrity of stored data are at high risk. Availability may also be affected if the device is rendered inoperable. The remote, unauthenticated nature of the exploit increases the threat level, especially in environments where these devices are exposed to untrusted networks or the internet. Organizations relying on this device for critical data storage or backup should consider the vulnerability a high priority for remediation to avoid operational disruption and data breaches.

1. Immediate mitigation should focus on isolating the affected Wavlink WL-NU516U1 devices from untrusted networks, especially the internet, to reduce exposure to remote attacks. 2. Network segmentation should be implemented to limit access to these devices only to trusted internal users and systems. 3. Monitor network traffic for unusual or malformed requests targeting /cgi-bin/nas.cgi or attempts to manipulate the User1Passwd parameter. 4. If possible, disable or restrict access to the vulnerable CGI interface until a patch is available. 5. Engage with Wavlink support or vendor channels to obtain firmware updates or official patches addressing this vulnerability. 6. Employ intrusion detection/prevention systems (IDS/IPS) with signatures for this vulnerability once available. 7. Conduct regular backups of critical data stored on these devices to mitigate data loss risks. 8. Educate network administrators about this vulnerability and ensure timely application of security updates when released. 9. Consider replacing affected devices with models that have a better security track record if patching is not feasible in the short term.