CVE-2024-39781

Name of the Vulnerable Software and Affected Versions: Wavlink AC3000 version M33A8.V5030.210505

Description: Multiple OS command injection vulnerabilities exist in the sch reboot() functionality of adm.cgi, allowing for arbitrary code execution through a specially crafted HTTP request. An attacker can trigger these vulnerabilities by making an authenticated HTTP request. A command injection vulnerability exists in the restart hour POST parameter.

Recommendations: For version M33A8.V5030.210505, consider disabling the sch reboot() function until a patch is available to prevent exploitation. Restrict access to the adm.cgi module to minimize the risk of exploitation. Avoid using the restart hour parameter in the affected HTTP endpoint until the issue is resolved.