CVE-2024-39787

Name of the Vulnerable Software and Affected Versions: Wavlink AC3000 version M33A8.V5030.210505

Description: Multiple directory traversal vulnerabilities exist in the nas.cgi add dir() functionality. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities. A directory traversal vulnerability exists within the disk part POST parameter.

Recommendations: For version M33A8.V5030.210505, as a temporary workaround, consider disabling the add dir() function in nas.cgi until a patch is available. Restrict access to the disk part parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.