CVE-2024-39782
Published: 14 January 2025
Description
Multiple OS command injection vulnerabilities exist in the adm.cgi sch_reboot() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to a arbitrary code execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists in the `restart_min` POST parameter.
Security Summary
Multiple OS command injection vulnerabilities, classified under CWE-77, affect the adm.cgi sch_reboot() functionality in the Wavlink AC3000 router running firmware version M33A8.V5030.210505. These flaws, tracked as CVE-2024-39782 and published on 2025-01-14, allow arbitrary code execution through a specially crafted HTTP request. One specific instance involves the `restart_min` POST parameter, enabling attackers to inject malicious commands into the system's execution flow.
Exploitation requires an authenticated attacker with high privileges (PR:H), who can send a malicious HTTP request over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants scope-changed (S:C) access, resulting in high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), as scored at CVSS 9.1. This enables full arbitrary code execution on the device.
Talos Intelligence documented these issues in vulnerability report TALOS-2024-2033, available at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2033. Security practitioners should consult this advisory for detailed technical analysis and any recommended mitigations or patches.
Details
- CWE(s)