CVE-2024-39793

CVE-2024-39793 involves multiple external control of configuration vulnerabilities in the nas.cgi set_nas() proftpd functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. These flaws allow a specially crafted HTTP request to bypass permissions, enabling unauthorized configuration changes. Additionally, a configuration injection vulnerability affects the ftp_name POST parameter, classified under CWE-15 (External Control of System or Configuration Setting). The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact confidentiality, integrity, and availability effects with scope expansion.

An authenticated attacker with high privileges (PR:H) can exploit these issues by sending a malicious HTTP request to the affected nas.cgi endpoint. This triggers permission bypass and configuration injection, potentially allowing the attacker to modify ProFTPD settings or other NAS-related configurations arbitrarily. Successful exploitation grants network-accessible (AV:N) control with low complexity (AC:L) and no user interaction (UI:N), leading to complete compromise of the device's configuration.

Mitigation details and technical analysis are provided in the Talos Intelligence advisory TALOS-2024-2053, available at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2053. Security practitioners should consult this report for patching instructions or workarounds specific to the Wavlink AC3000 device.