CVE-2024-39800

Name of the Vulnerable Software and Affected Versions Wavlink AC3000 version M33A8.V5030.210505

Description Multiple external config control vulnerabilities exist in the openvpn.cgi openvpn server setup() functionality. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities. A configuration injection vulnerability exists in the open port POST parameter.

Recommendations For version M33A8.V5030.210505, as a temporary workaround, consider disabling the openvpn server setup() function until a patch is available. Restrict access to the open port parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.