CVE-2024-38666

Name of the Vulnerable Software and Affected Versions: Wavlink AC3000 version M33A8.V5030.210505

Description: A vulnerability exists in the openvpn client setup() function of the openvpn.cgi functionality, allowing for arbitrary command execution through a specially crafted HTTP request. An attacker can trigger this issue by making an authenticated HTTP request.

Recommendations: For Wavlink AC3000 version M33A8.V5030.210505, consider disabling the openvpn client setup() function until a patch is available to prevent exploitation. Restrict access to the openvpn.cgi functionality to minimize the risk of arbitrary command execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.