Cyber Resilience

CVE-2024-21797

CriticalPublic PoC

Published: 14 January 2025

Published
14 January 2025
Modified
21 August 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0786 92.2th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21797 is a critical-severity Injection (CWE-74) vulnerability in Wavlink Wl-Wn533A8 Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A command execution vulnerability exists in the adm.cgi set_TR069() functionality of the Wavlink AC3000 router running firmware M33A8.V5030.210505. The issue, tracked as CVE-2024-21797 and assigned CWE-74, allows a specially crafted HTTP request to trigger arbitrary command execution on the device. It carries a CVSS 3.1 score of 9.1 reflecting network attack vector, low complexity, high privileges required, and impacts across confidentiality, integrity, and availability in a changed scope.

An authenticated attacker can exploit the flaw by submitting a malicious HTTP request to the affected endpoint, resulting in execution of attacker-controlled commands on the router. The vulnerability is reachable over the network without user interaction once valid credentials are obtained.

No mitigation details or patch information appear in the supplied references, which point to Talos reports TALOS-2024-2028. The EPSS score remains flat at 0.0786 with no material rise observed after disclosure.

EU & UK References

Vulnerability details

A command execution vulnerability exists in the adm.cgi set_TR069() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Direct RCE via crafted HTTP request to public web CGI enables T1190; arbitrary command execution on network device maps to T1059.008.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-39604Same product: Wavlink Wl-Wn533A8
CVE-2024-39784Same product: Wavlink Wl-Wn533A8
CVE-2024-39785Same product: Wavlink Wl-Wn533A8
CVE-2024-34544Same product: Wavlink Wl-Wn533A8
CVE-2024-36295Same product: Wavlink Wl-Wn533A8
CVE-2024-36493Same product: Wavlink Wl-Wn533A8
CVE-2024-39602Same product: Wavlink Wl-Wn533A8
CVE-2024-39798Same product: Wavlink Wl-Wn533A8
CVE-2024-39762Same product: Wavlink Wl-Wn533A8
CVE-2024-39803Same product: Wavlink Wl-Wn533A8

Affected Assets

wavlink
wl-wn533a8 firmware
m33a8.v5030.210505

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of all information inputs, directly preventing command injection via specially crafted HTTP requests to the vulnerable adm.cgi set_TR069() function.

prevent

SI-2 mandates timely flaw remediation, enabling patching of the specific command execution vulnerability in Wavlink AC3000 firmware M33A8.V5030.210505 to eliminate exploitation.

prevent

AC-6 enforces least privilege for authenticated high-privilege (PR:H) users, limiting the scope and impact of arbitrary command execution on the device.

References