CVE-2026-2615 is a command injection vulnerability identified in the Wavlink WL-NU516U1 router firmware versions up to 20251208. The vulnerability resides in the singlePortForwardDelete function of the /cgi-bin/firewall.cgi script. Specifically, the del_flag parameter is improperly sanitized, allowing an attacker to inject arbitrary shell commands. This flaw enables remote code execution without requiring authentication or user interaction, making it highly exploitable over the network. The vulnerability impacts the confidentiality, integrity, and availability of affected devices, as attackers can execute commands to manipulate device settings, intercept or redirect traffic, or disrupt network operations. The vendor was contacted but has not responded or issued a patch, increasing the urgency for organizations to implement mitigations. Although no exploits have been observed in the wild, proof-of-concept code is publicly available, raising the risk of imminent attacks. The vulnerability’s CVSS 4.0 score of 8.6 reflects its high severity, with low attack complexity and no privileges or user interaction needed. This makes it a critical concern for any network relying on the WL-NU516U1 router, especially where remote management interfaces are exposed to untrusted networks.

For European organizations, this vulnerability poses a significant threat to network security and operational continuity. Exploitation could lead to unauthorized control over affected routers, enabling attackers to intercept sensitive communications, alter firewall rules, or launch further attacks within the internal network. This could compromise confidential data, disrupt business operations, and damage organizational reputation. Critical infrastructure sectors such as finance, healthcare, and government agencies using these devices are particularly vulnerable. The lack of vendor response and patch availability increases the risk of exploitation. Additionally, the ability to execute commands remotely without authentication means attackers can target these devices en masse, potentially leading to widespread network outages or facilitating lateral movement in targeted attacks. European organizations with remote management enabled or insufficient network segmentation are at heightened risk.

1. Immediately disable remote management interfaces on all Wavlink WL-NU516U1 devices to prevent external exploitation. 2. Restrict access to router management interfaces to trusted internal networks only, using firewall rules or VPNs. 3. Implement network segmentation to isolate vulnerable devices from critical systems and sensitive data. 4. Monitor network traffic and device logs for unusual commands or access patterns indicative of exploitation attempts. 5. If possible, replace affected devices with models from vendors that provide timely security updates. 6. Apply strict input validation and filtering on any exposed web interfaces, if custom firmware or configurations are used. 7. Maintain an inventory of all Wavlink devices and verify firmware versions to identify vulnerable units. 8. Engage with Wavlink support channels regularly for updates or patches. 9. Prepare incident response plans specifically addressing potential router compromise scenarios. 10. Consider deploying network intrusion detection systems (NIDS) tuned to detect command injection attempts targeting /cgi-bin/firewall.cgi endpoints.