CVE-2024-39759

Name of the Vulnerable Software and Affected Versions Wavlink AC3000 versions M33A8.V5030.210505

Description The issue is related to the set sys init() function in the login.cgi script of the Wavlink AC3000 router's firmware, which fails to properly sanitize the restart hour value parameter. This allows a remote attacker to execute arbitrary commands by sending specially crafted HTTP requests. The vulnerability can be triggered by an unauthenticated HTTP request, leading to arbitrary code execution. The restart hour value POST parameter is specifically vulnerable to command injection.

Recommendations For version M33A8.V5030.210505, consider disabling the set sys init() function until a patch is available. Restrict access to the login.cgi script to minimize the risk of exploitation. Avoid using the restart hour value parameter in the affected HTTP endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.