CVE-2024-39756

A buffer overflow vulnerability, tracked as CVE-2024-39756 and published on 2025-01-14, affects the adm.cgi rep_as_router() functionality in Wavlink AC3000 routers running firmware version M33A8.V5030.210505. The issue stems from CWE-120 (Buffer Copy without Checking Size of Input), where a specially crafted HTTP request triggers a stack-based buffer overflow. This flaw has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high confidentiality, integrity, and availability impacts with changed scope.

Exploitation requires an authenticated attacker with high privileges (PR:H) to send a malicious HTTP request to the vulnerable component over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation can lead to arbitrary code execution, enabling full compromise of the affected router, including potential data theft, modification of configurations, or denial of service.

Mitigation details are available in the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2024. Security practitioners should consult this report for patch information, workarounds, or firmware updates specific to the Wavlink AC3000 device.