CVE-2024-39795

CVE-2024-39795 involves multiple external config control vulnerabilities in the nas.cgi set_nas() proftpd functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. These flaws allow a specially crafted HTTP request to bypass permissions, including a configuration injection vulnerability in the ftp_max_sessions POST parameter. The issue is classified under CWE-15 (External Control of System or Configuration Setting) with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical impact potential across confidentiality, integrity, and availability when scope is changed.

An authenticated attacker with high privileges can exploit these vulnerabilities by sending a malicious HTTP request to the affected nas.cgi endpoint. Successful exploitation leads to permission bypass and arbitrary configuration injection, enabling the attacker to alter ProFTPD settings such as maximum sessions, potentially disrupting services or escalating control over the device.

For mitigation details, refer to the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2053, which provides analysis and recommendations specific to this vulnerability.