CVE-2024-36258

A stack-based buffer overflow vulnerability, tracked as CVE-2024-36258 and associated with CWE-121, affects the touchlist_sync.cgi touchlistsync() functionality in Wavlink AC3000 routers running firmware version M33A8.V5030.210505. The issue arises when processing a specially crafted HTTP request, which can trigger the overflow and lead to arbitrary code execution.

The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity, no required privileges or user interaction, and high impact across confidentiality, integrity, and availability due to a change in scope. Any unauthenticated attacker capable of sending an HTTP request to the affected device can trigger the buffer overflow to achieve arbitrary code execution, potentially compromising the router fully.

Mitigation details and technical analysis are provided in the Talos Intelligence advisory TALOS-2024-2046, available at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2046. No patches or vendor-specific remediations are detailed in the available information.