CVE-2024-39784

Name of the Vulnerable Software and Affected Versions: Wavlink AC3000 version M33A8.V5030.210505

Description: Multiple command execution vulnerabilities exist in the nas.cgi add dir() functionality. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities. A command injection vulnerability exists in the disk part POST parameter.

Recommendations: For version M33A8.V5030.210505, consider disabling the add dir() function in the nas.cgi until a patch is available. Restrict access to the disk part parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.