CVE-2024-36295
Published: 14 January 2025
Description
A command execution vulnerability exists in the qos.cgi qos_sta() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Security Summary
CVE-2024-36295 is a command execution vulnerability in the qos.cgi qos_sta() functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution on the device. The vulnerability, published on 2025-01-14, is associated with CWE-74 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and high impacts across confidentiality, integrity, availability, and scope.
An authenticated attacker with high privileges (PR:H) can exploit this vulnerability by sending a malicious HTTP request to the qos.cgi endpoint. No user interaction is required, enabling remote exploitation over the network with low complexity. Successful exploitation grants arbitrary command execution, allowing full control over the device and potentially leading to complete compromise.
Mitigation details are provided in the Talos Intelligence advisory (TALOS-2024-2047), available at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2047. Security practitioners should consult this report for recommended patches or workarounds specific to the affected Wavlink AC3000 firmware.
Details
- CWE(s)