CVE-2026-3704 is a command injection vulnerability affecting the Wavlink NU516U1 router, firmware version 251208. The vulnerability resides in the sub_405B2C function within the /cgi-bin/firewall.cgi CGI script, which handles firewall configuration. This flaw is a consequence of an incomplete remediation of a previous vulnerability (CVE-2025-10959), indicating that the patch did not fully address the root cause. Attackers can remotely exploit this vulnerability without user interaction or authentication, leveraging the command injection to execute arbitrary system commands with elevated privileges. The vulnerability's CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H, which suggests high privileges but the description states remote initiation, so possibly a discrepancy), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vendor was notified early and responded professionally by releasing a fixed firmware version. While no public exploits are currently known, the public disclosure increases the risk of exploitation. The vulnerability affects only the specific firmware version 251208 of the NU516U1 model, limiting the scope but still posing a risk to users of this device. The vulnerability allows attackers to manipulate firewall.cgi parameters to inject commands, potentially leading to unauthorized control over the device, data leakage, or disruption of network services.

The primary impact of CVE-2026-3704 is unauthorized remote command execution on affected Wavlink NU516U1 devices, which can compromise device integrity and availability. Attackers could manipulate firewall settings, disrupt network traffic, or use the device as a foothold for further attacks within an organization's network. Confidentiality could be partially impacted if attackers access sensitive configuration data or intercept traffic. Although the CVSS score is medium, the ability to execute commands remotely without user interaction increases the risk. Organizations relying on this router model for network perimeter security or internal segmentation may face increased exposure to lateral movement or persistent compromise. The vulnerability could also be leveraged in botnet formation or as part of larger multi-stage attacks. Given the limited affected firmware version, the overall global impact is contained but significant for users of this specific device and firmware.

Organizations should immediately verify if they are using Wavlink NU516U1 devices running firmware version 251208 and upgrade to the latest patched firmware released by Wavlink. Network administrators should restrict access to the router's management interfaces, especially the /cgi-bin/firewall.cgi endpoint, by limiting it to trusted IP addresses or internal networks. Employ network segmentation to isolate vulnerable devices from critical infrastructure. Monitor network traffic for unusual activity or command injection attempts targeting the firewall CGI scripts. Implement strict firewall rules to block unauthorized remote access to router management interfaces. Regularly audit and update device firmware to ensure all security patches are applied promptly. If upgrading firmware is not immediately possible, consider disabling remote management features or restricting them via VPN or secure channels. Finally, maintain an inventory of network devices and their firmware versions to quickly identify and remediate vulnerable assets.