CVE-2024-39358
Published: 14 January 2025
Description
A buffer overflow vulnerability exists in the adm.cgi set_wzap() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to stack-based buffer overflow. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Security Summary
CVE-2024-39358 is a stack-based buffer overflow vulnerability in the adm.cgi set_wzap() functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. The flaw, classified under CWE-120, arises when processing a specially crafted HTTP request, leading to a buffer overflow condition. It was published on January 14, 2025, and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation across confidentiality, integrity, and availability.
An authenticated attacker with high privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending a malicious HTTP request to the affected adm.cgi endpoint, the attacker triggers the stack-based buffer overflow, potentially achieving arbitrary code execution, full system compromise, or denial of service, with a scope change that extends impact beyond the vulnerable component.
Details on mitigation, including any available patches or workarounds, are documented in the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2027. Security practitioners should consult this report for vendor-specific remediation guidance and verify firmware updates for the Wavlink AC3000 device.
Details
- CWE(s)