CVE-2024-21797
Published: 14 January 2025
Summary
CVE-2024-21797 is a critical-severity Injection (CWE-74) vulnerability in Wavlink Wl-Wn533A8 Firmware. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A command execution vulnerability exists in the adm.cgi set_TR069() functionality of the Wavlink AC3000 router running firmware M33A8.V5030.210505. The issue, tracked as CVE-2024-21797 and assigned CWE-74, allows a specially crafted HTTP request to trigger arbitrary command execution on the device. It carries a CVSS 3.1 score of 9.1 reflecting network attack vector, low complexity, high privileges required, and impacts across confidentiality, integrity, and availability in a changed scope.
An authenticated attacker can exploit the flaw by submitting a malicious HTTP request to the affected endpoint, resulting in execution of attacker-controlled commands on the router. The vulnerability is reachable over the network without user interaction once valid credentials are obtained.
No mitigation details or patch information appear in the supplied references, which point to Talos reports TALOS-2024-2028. The EPSS score remains flat at 0.0786 with no material rise observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34423
Vulnerability details
A command execution vulnerability exists in the adm.cgi set_TR069() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via crafted HTTP request to public web CGI enables T1190; arbitrary command execution on network device maps to T1059.008.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of all information inputs, directly preventing command injection via specially crafted HTTP requests to the vulnerable adm.cgi set_TR069() function.
SI-2 mandates timely flaw remediation, enabling patching of the specific command execution vulnerability in Wavlink AC3000 firmware M33A8.V5030.210505 to eliminate exploitation.
AC-6 enforces least privilege for authenticated high-privilege (PR:H) users, limiting the scope and impact of arbitrary command execution on the device.