Cyber Posture

CVE-2026-3703

CriticalPublic PoC

Published: 08 March 2026

Published
08 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 51.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A flaw has been found in Wavlink NU516U1 251208. This affects the function sub_401A10 of the file /cgi-bin/login.cgi. Executing a manipulation of the argument ipaddr can lead to out-of-bounds write. The attack may be performed from remote. The exploit has…

more

been published and may be used. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring timely remediation of the out-of-bounds write flaw through application of the vendor-provided firmware patch.

SI-10 Information Input Validation good match
prevent

Prevents exploitation by enforcing validation of the ipaddr argument in /cgi-bin/login.cgi to block malformed inputs causing the out-of-bounds write.

SI-16 Memory Protection partial match
prevent

Mitigates successful exploitation of the out-of-bounds write by implementing memory protections such as stack canaries or non-executable memory to hinder arbitrary code execution.

Security SummaryAI

CVE-2026-3703 is an out-of-bounds write vulnerability in the Wavlink NU516U1 firmware version 251208, affecting the sub_401A10 function within the /cgi-bin/login.cgi file. The flaw is triggered by manipulating the ipaddr argument, as classified under CWE-119 and CWE-787. It carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, authentication, or user interaction (AV:N/AC:L/PR:N/UI:N/S:U). Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution or system takeover on affected devices.

Advisories recommend upgrading the affected component to the vendor-provided fixed firmware version, available at https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U1-WO-A-2026-02-27-2fcf6ae-mt7628-squashfs-sysupgrade.bin. The vendor was contacted early, responded professionally, and promptly released the patch. Additional details are documented on VulDB at https://vuldb.com/?ctiid.349649 and https://vuldb.com/?id.349649.

A proof-of-concept exploit has been publicly disclosed on GitHub at https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/ipaddr.md and https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/ipaddr.md#exp-exploit--poc.

Details

CWE(s)
CWE-119CWE-787

Affected Products

wavlink
wl-nu516u1 firmware
251208

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is an out-of-bounds write in a public-facing web CGI endpoint (/cgi-bin/login.cgi) exploitable remotely without authentication, directly enabling exploitation of public-facing applications for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References