CVE-2024-39786

Multiple directory traversal vulnerabilities exist in the nas.cgi add_dir() functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. These flaws, including one specifically within the `adddir_name` POST parameter, allow a specially crafted HTTP request to bypass permissions. The vulnerabilities are classified under CWE-22 and carry a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to network accessibility, low attack complexity, and high impacts across confidentiality, integrity, and availability with changed scope.

An authenticated attacker with high privileges (PR:H) can exploit these vulnerabilities by sending a malicious HTTP request to the affected nas.cgi endpoint. This triggers directory traversal, enabling permission bypass that grants unauthorized access to sensitive directories and files. Successful exploitation could allow the attacker to read, modify, or delete critical data, potentially leading to full compromise of the device given the high-impact CVSS metrics.

Mitigation details are outlined in the Cisco Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2057, which provides technical analysis and recommendations for addressing TALOS-2024-2057.