CVE-2026-3704 is a command injection vulnerability affecting the Wavlink NU516U1 router, firmware version 251208. The vulnerability exists in the function sub_405B2C within the /cgi-bin/firewall.cgi script, which is part of the device's firewall management interface. This flaw is a result of an incomplete remediation of a previous vulnerability (CVE-2025-10959), indicating that the patch applied earlier did not fully address the underlying issue. The vulnerability allows an unauthenticated remote attacker to inject and execute arbitrary system commands on the device. The attack vector is network-based, requiring no user interaction and no authentication, making it accessible to any attacker capable of reaching the device's management interface remotely. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H - indicating high privileges required, but the description suggests remote unauthenticated access, which may indicate some inconsistency), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability individually but combined could be significant. The vendor was notified early and responded professionally by releasing a fixed firmware version promptly. No public exploits are currently known to be actively used in the wild, but the public disclosure increases the risk of exploitation. The vulnerability affects only the specified firmware version 251208, so devices running other versions may not be vulnerable. The flaw's presence in a widely deployed consumer and small business router model increases the potential attack surface.

The primary impact of CVE-2026-3704 is unauthorized remote command execution on affected Wavlink NU516U1 devices. Successful exploitation can lead to full compromise of the router, allowing attackers to alter firewall rules, intercept or redirect network traffic, deploy malware, or pivot into internal networks. This threatens the confidentiality and integrity of data traversing the device and can disrupt availability by modifying or disabling network services. Organizations relying on these routers for perimeter defense or internal segmentation may face increased risk of lateral movement and data exfiltration. The medium CVSS score reflects moderate ease of exploitation and impact, but the real-world consequences could be severe if exploited in critical environments. The lack of known active exploits currently reduces immediate risk but does not eliminate the threat, especially given the public disclosure. The vulnerability could be leveraged in targeted attacks against enterprises, government agencies, or critical infrastructure operators using these devices. Consumer and small business users may also be at risk of device takeover and subsequent use in botnets or other malicious activities.

To mitigate CVE-2026-3704, affected organizations and users should immediately upgrade the Wavlink NU516U1 firmware to the vendor-released fixed version. If upgrading is not immediately possible, restrict remote access to the router’s management interface by disabling remote administration features or limiting access via firewall rules to trusted IP addresses only. Network segmentation should be employed to isolate vulnerable devices from critical assets. Monitoring network traffic for unusual activity or command injection attempts targeting /cgi-bin/firewall.cgi can help detect exploitation attempts. Employing intrusion detection/prevention systems (IDS/IPS) with signatures for command injection patterns may provide additional defense. Regularly audit and update all network devices to ensure they are running supported and patched firmware versions. Vendors and administrators should verify that previous patches fully remediate vulnerabilities to avoid incomplete fixes. Finally, maintain an incident response plan to quickly address any compromise resulting from exploitation.