CVE-2024-39367
Published: 14 January 2025
Description
An os command injection vulnerability exists in the firewall.cgi iptablesWebsFilterRun() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Security Summary
CVE-2024-39367 is an OS command injection vulnerability in the firewall.cgi iptablesWebsFilterRun() functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. The flaw allows a specially crafted HTTP request to trigger arbitrary code execution and is classified under CWE-77. It has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for high-impact confidentiality, integrity, and availability effects across a changed scope.
An authenticated attacker with high privileges can exploit this vulnerability by sending a malicious HTTP request to the affected firewall.cgi endpoint. Successful exploitation leads to arbitrary code execution on the underlying operating system, potentially granting full control over the device.
For mitigation details, refer to the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2023. The vulnerability was published on January 14, 2025.
Details
- CWE(s)