CVE-2024-39789
Published: 14 January 2025
Description
Multiple external config control vulnerabilities exist in the nas.cgi set_ftp_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists within the `ftp_port` POST parameter.
Security Summary
CVE-2024-39789 involves multiple external control of configuration vulnerabilities in the nas.cgi set_ftp_cfg() functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. These flaws, classified under CWE-15, enable permission bypass through a specially crafted HTTP request, with a specific configuration injection vulnerability in the ftp_port POST parameter. The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to high impacts on confidentiality, integrity, and availability with a changed scope.
An attacker with high privileges (PR:H) can exploit this by sending an authenticated HTTP request to the vulnerable nas.cgi endpoint. This triggers the permission bypass and configuration injection, potentially allowing arbitrary modifications to system configurations, such as FTP settings, which could lead to unauthorized access, data exposure, service disruption, or further compromise of the device.
Mitigation details are outlined in the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2056, which reported the vulnerabilities on 2025-01-14. Security practitioners should consult this reference for patch availability, workaround guidance, or firmware update recommendations specific to the affected Wavlink AC3000 devices.
Details
- CWE(s)