CVE-2026-3662 is a command injection vulnerability identified in the Wavlink WL-NU516U1 wireless device, firmware version 240425. The vulnerability resides in the usb_p910 function of the /cgi-bin/adm.cgi script, which processes the Pr_mode parameter. Improper sanitization or validation of this parameter allows an attacker to inject arbitrary system commands. This injection occurs remotely without requiring authentication or user interaction, enabling an attacker to execute commands with elevated privileges. The vulnerability is classified as medium severity with a CVSS 4.0 score of 5.1, indicating a moderate risk. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is limited but present (VC:L, VI:L, VA:L). The vendor was contacted early, but no patches or mitigations have been publicly released yet. No known exploits have been observed in the wild, but public disclosure of the exploit details increases the risk of exploitation. This vulnerability could allow attackers to gain unauthorized control over the device, potentially leading to further network compromise or disruption of services.

The exploitation of CVE-2026-3662 could allow remote attackers to execute arbitrary commands on affected Wavlink WL-NU516U1 devices, potentially leading to unauthorized control over the device. This could result in disruption of network services, interception or manipulation of network traffic, or use of the device as a foothold for lateral movement within an organization's network. Given the device’s role as a network access point, compromise could impact confidentiality, integrity, and availability of connected systems. Organizations relying on this device for critical network infrastructure may face operational disruptions and increased risk of broader network compromise. The lack of authentication and user interaction requirements increases the likelihood of exploitation, especially in environments where the device is exposed to untrusted networks. However, the medium severity score and limited scope of impact suggest that while serious, the threat is not critical but should be addressed promptly to prevent escalation.

Organizations should immediately assess their network for the presence of Wavlink WL-NU516U1 devices running firmware version 240425. Until an official patch is released, network segmentation should be implemented to isolate these devices from critical infrastructure and limit exposure to untrusted networks. Access to the device’s management interface should be restricted using firewall rules or VPNs to prevent unauthorized remote access. Monitoring network traffic for unusual commands or activity targeting /cgi-bin/adm.cgi endpoints can help detect exploitation attempts. If possible, disable or restrict the usb_p910 function or related services until a patch is available. Regularly check for firmware updates from Wavlink and apply them promptly once released. Additionally, consider replacing affected devices with alternative hardware if mitigation is not feasible or if the device is critical to network security.