CVE-2024-39761
Published: 14 January 2025
Description
Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists within the `restart_week_value` POST parameter.
Security Summary
CVE-2024-39761 is a set of multiple OS command injection vulnerabilities (CWE-77) in the login.cgi set_sys_init() functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. These flaws allow a specially crafted HTTP request to trigger arbitrary code execution, with a specific instance involving command injection via the `restart_week_value` POST parameter. The vulnerability carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.
An unauthenticated attacker can exploit these vulnerabilities remotely by sending a malicious HTTP request to the affected device, leading to arbitrary code execution with elevated privileges. This grants full control over the router, potentially enabling data theft, further network compromise, or persistent access, as reflected in the high impact metrics for confidentiality, integrity, and availability alongside a changed scope.
Mitigation details and additional technical analysis are available in the Cisco Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2018.
Details
- CWE(s)