CVE-2024-39608

CVE-2024-39608 is a firmware update vulnerability in the login.cgi functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. The issue stems from CWE-306 (Missing Authentication for Critical Function), where a specially crafted HTTP request enables arbitrary firmware updates without proper validation. This flaw has a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, lack of privileges or user interaction required, and potential for scope change with high impacts across confidentiality, integrity, and availability.

Any unauthenticated attacker with network access to the affected device can exploit this vulnerability by sending a malicious HTTP request to the login.cgi endpoint, triggering an arbitrary firmware update. Successful exploitation allows the attacker to install malicious firmware, potentially leading to full device compromise, persistent access, data theft, or use as a pivot point in the network.

Mitigation details are provided in the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2036, which documents the vulnerability and recommends applying vendor patches or firmware updates when available, along with network segmentation and exposure controls for the affected devices.