CVE-2024-37357

A stack-based buffer overflow vulnerability, designated CVE-2024-37357 and associated with CWE-120, affects the adm.cgi set_TR069() functionality in Wavlink AC3000 routers running firmware version M33A8.V5030.210505. The issue arises when processing a specially crafted HTTP request, leading to a buffer overflow condition. Published on January 14, 2025, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation.

Exploitation requires an authenticated attacker with high privileges (PR:H) to send a malicious HTTP request over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful triggering changes scope (S:C) and can result in high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), potentially enabling arbitrary code execution or system compromise on the affected device.

The primary advisory from Talos Intelligence (TALOS-2024-2029) documents the vulnerability at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2029, where security practitioners can find detailed analysis and recommended mitigations.