CVE-2024-39604
Published: 14 January 2025
Description
A command execution vulnerability exists in the update_filter_url.sh functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
Security Summary
CVE-2024-39604 is a command execution vulnerability in the update_filter_url.sh functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. The flaw allows a specially crafted HTTP request to trigger arbitrary command execution on the device. It has been assigned a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-74, indicating an injection-related issue.
The vulnerability can be exploited by a remote attacker performing a man-in-the-middle (MitM) attack, which aligns with the high attack complexity (AC:H) in its CVSS vector. No user privileges or interaction are required (PR:N/UI:N), and successful exploitation grants high-impact scope (S:C) with full confidentiality, integrity, and availability compromise (C:H/I:H/A:H), enabling arbitrary command execution on the targeted router.
Details on mitigation, including any patches or workarounds, are available in the Cisco Talos Intelligence advisory TALOS-2024-2038, accessible at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2038. The vulnerability was published on 2025-01-14.
Details
- CWE(s)