CVE-2024-39360

Name of the Vulnerable Software and Affected Versions: Wavlink AC3000 version M33A8.V5030.210505

Description: A system command injection issue exists in the nas.cgi remove dir() functionality. This can be triggered by a specially crafted HTTP request, potentially leading to arbitrary code execution. An attacker can make an authenticated HTTP request to exploit this issue. The estimated number of potentially affected devices worldwide is not specified. Details about real-world incidents where this issue was exploited are not provided.

Recommendations: For version M33A8.V5030.210505, consider disabling the remove dir() function in nas.cgi as a temporary workaround until a patch is available. Restrict access to the nas.cgi module to minimize the risk of exploitation. Avoid using the remove dir() function in the affected HTTP endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.