OS Command Injection Vulnerability in Wavlink AC3000 Router
CVE-2024-39760

10CRITICAL

Key Information:

Vendor: Wavlink
Vendor: CVE Published:; 14 January 2025

What is CVE-2024-39760?

Multiple OS command injection vulnerabilities have been identified in the login.cgi set_sys_init() functionality of the Wavlink AC3000 M33A8.V5030.210505 router. These vulnerabilities allow attackers to execute arbitrary code through specially crafted HTTP requests, which can be sent without authentication. Notably, one of the vulnerabilities is linked to the restart_min_value POST parameter, making it crucial for users to secure their devices and follow best practices to mitigate potential exploits.

References

https://talosintelligence.com/vulnerability_reports/TALOS...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 14, 2025