CVE-2024-39765

Name of the Vulnerable Software and Affected Versions: Wavlink AC3000 version M33A8.V5030.210505

Description: Multiple OS command injection vulnerabilities exist in the internet.cgi set add routing() functionality. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities. A command injection vulnerability exists in the custom interface POST parameter.

Recommendations: For version M33A8.V5030.210505, consider disabling the set add routing() function in the internet.cgi until a patch is available. Restrict access to the custom interface POST parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.