CVE-2024-34166
Published: 14 January 2025
Description
An os command injection vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted set of HTTP requests can lead to arbitrary code execution. An attacker can send an HTTP request to trigger this vulnerability.
Security Summary
CVE-2024-34166 is an OS command injection vulnerability in the touchlist_sync.cgi script's touchlistsync() function within the Wavlink AC3000 router firmware version M33A8.V5030.210505. It allows attackers to execute arbitrary operating system commands through specially crafted HTTP requests sent to the device. The vulnerability carries a CVSS v3.1 base score of 10.0 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, changed scope, and high impact on confidentiality, integrity, and availability (CWE-77: Command Injection).
Unauthenticated remote attackers can exploit this vulnerability by sending malicious HTTP requests to the affected touchlist_sync.cgi endpoint, leading to arbitrary code execution on the device. Given the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), exploitation requires no authentication and can be performed over the network without user involvement, potentially granting full control over the router, including data exfiltration, further network pivoting, or persistent access.
Talos Intelligence advisories (TALOS-2024-2000) detail the vulnerability; security practitioners should consult these reports for technical analysis, proof-of-concept details, and any recommended mitigations or patches, as no vendor-specific remediation is specified in the CVE data.
Details
- CWE(s)