CVE-2024-39790

Name of the Vulnerable Software and Affected Versions Wavlink AC3000 version M33A8.V5030.210505

Description Multiple external config control vulnerabilities exist in the nas.cgi set ftp cfg() functionality. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities. A configuration injection vulnerability exists within the ftp max sessions POST parameter.

Recommendations For version M33A8.V5030.210505, as a temporary workaround, consider disabling the set ftp cfg() function until a patch is available. Restrict access to the ftp max sessions parameter in the affected HTTP endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.