CVE-2026-3661 identifies a command injection vulnerability in the Wavlink WL-NU516U1 router firmware version 240425. The vulnerability resides in the ota_new_upgrade function of the /cgi-bin/adm.cgi script, which processes the 'model' argument insecurely, allowing an attacker to inject arbitrary shell commands. This injection occurs due to insufficient input validation or sanitization of user-supplied parameters. The flaw is exploitable remotely over the network without requiring authentication or user interaction, increasing its risk profile. The vulnerability could allow attackers to execute arbitrary commands with elevated privileges, potentially leading to full device compromise, disruption of service, or pivoting into internal networks. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), no user interaction (UI:N), but with high privileges required (PR:H), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Despite the medium severity rating, the ability to execute commands remotely makes this a significant risk. The vendor was contacted early, but no official patches or mitigations have been published yet. No active exploitation has been reported, but a public exploit is available, increasing the urgency for mitigation.

The vulnerability allows remote attackers to execute arbitrary commands on affected Wavlink WL-NU516U1 devices, potentially leading to full device compromise. This can result in unauthorized access to network traffic, disruption of network services, and use of the device as a foothold for lateral movement within corporate or home networks. The integrity and availability of the device and connected systems may be compromised. Organizations relying on this router model for critical network infrastructure or internet access could face service outages or data breaches. The medium CVSS score reflects some mitigating factors such as the requirement for high privileges, but the lack of authentication and remote exploitability significantly increase the threat. The published exploit code raises the risk of opportunistic attacks, especially in environments where devices are exposed to the internet without adequate network segmentation or firewall protections.

1. Immediately isolate affected Wavlink WL-NU516U1 devices from untrusted networks to prevent remote exploitation. 2. Monitor network traffic for unusual activity originating from these devices, including unexpected command execution or outbound connections. 3. Implement strict network segmentation to limit device exposure and restrict access to the device management interface. 4. Disable remote management features if not required, especially access to /cgi-bin/adm.cgi endpoints. 5. Use firewall rules to block unauthorized inbound traffic targeting the device’s management ports. 6. Regularly check for firmware updates or security advisories from Wavlink and apply patches promptly once available. 7. Consider replacing affected devices with models that have a better security track record if patches are delayed. 8. Employ intrusion detection systems (IDS) tuned to detect command injection attempts or exploitation patterns related to this vulnerability. 9. Enforce strong network access controls and multi-factor authentication on management interfaces where possible to reduce privilege escalation risks.