CVE-2024-39798

Name of the Vulnerable Software and Affected Versions Wavlink AC3000 version M33A8.V5030.210505

Description There are multiple external configuration control vulnerabilities in the openvpn.cgi openvpn server setup() function. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities. A configuration injection vulnerability exists in the sel open protocol POST parameter.

Recommendations For version M33A8.V5030.210505, as a temporary workaround, consider disabling the openvpn server setup() function until a patch is available. Restrict access to the openvpn.cgi module to minimize the risk of exploitation. Avoid using the sel open protocol parameter in the affected HTTP endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.