CVE-2024-39760

Name of the Vulnerable Software and Affected Versions Wavlink AC3000 (WL-WN533A8) versions prior to the fixed version

Description The issue is related to the set sys init() function in the login.cgi script of the Wavlink AC3000 router's firmware. It is caused by the lack of proper data sanitization on the management level when handling the restart min value parameter. This allows a remote attacker to execute arbitrary commands by sending specially crafted HTTP requests to the '/login.cgi' endpoint, potentially leading to arbitrary code execution. The restart min value POST parameter is specifically vulnerable to command injection.

Recommendations For Wavlink AC3000 (WL-WN533A8) versions prior to the fixed version: As a temporary workaround, consider disabling the set sys init() function until a patch is available. Restrict access to the /login.cgi endpoint to minimize the risk of exploitation. Avoid using the restart min value parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.