CVE-2024-34166

CriticalPublic PoCRCE

Published: 14 January 2025

Published

14 January 2025

Modified

21 August 2025

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.1015 93.2th percentile

Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-34166 is a critical-severity Command Injection (CWE-77) vulnerability in Wavlink Wl-Wn533A8 Firmware. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates HTTP request inputs to the touchlist_sync.cgi script's touchlistsync() function to block specially crafted payloads that enable OS command injection.

SI-2 Flaw Remediation good match

prevent

Remediates the specific OS command injection flaw in the Wavlink router firmware by applying patches or code corrections.

SI-9 Information Input Restrictions partial match

prevent

Restricts HTTP inputs to the vulnerable CGI endpoint to authorized formats and lengths, mitigating injection attempts.

NVD Description

An os command injection vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted set of HTTP requests can lead to arbitrary code execution. An attacker can send an HTTP request to trigger this vulnerability.

Deeper analysisAI

CVE-2024-34166 is an OS command injection vulnerability in the touchlist_sync.cgi script's touchlistsync() function within the Wavlink AC3000 router firmware version M33A8.V5030.210505. It allows attackers to execute arbitrary operating system commands through specially crafted HTTP requests sent to the device. The vulnerability carries a CVSS v3.1 base score of 10.0 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, changed scope, and high impact on confidentiality, integrity, and availability (CWE-77: Command Injection).

Unauthenticated remote attackers can exploit this vulnerability by sending malicious HTTP requests to the affected touchlist_sync.cgi endpoint, leading to arbitrary code execution on the device. Given the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), exploitation requires no authentication and can be performed over the network without user involvement, potentially granting full control over the router, including data exfiltration, further network pivoting, or persistent access.

Talos Intelligence advisories (TALOS-2024-2000) detail the vulnerability; security practitioners should consult these reports for technical analysis, proof-of-concept details, and any recommended mitigations or patches, as no vendor-specific remediation is specified in the CVE data.

Details

CWE(s): CWE-77

Affected Products

wavlink

wl-wn533a8 firmware

m33a8.v5030.210505

CVEs Like This One

CVE-2024-39781Same product: Wavlink Wl-Wn533A8

CVE-2024-39763Same product: Wavlink Wl-Wn533A8

CVE-2024-37186Same product: Wavlink Wl-Wn533A8

CVE-2024-39760Same product: Wavlink Wl-Wn533A8

CVE-2024-39759Same product: Wavlink Wl-Wn533A8

CVE-2024-39367Same product: Wavlink Wl-Wn533A8

CVE-2024-39360Same product: Wavlink Wl-Wn533A8

CVE-2024-39782Same product: Wavlink Wl-Wn533A8

CVE-2024-39761Same product: Wavlink Wl-Wn533A8

CVE-2024-39762Same product: Wavlink Wl-Wn533A8

References

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2000
Exploit, Third Party Advisory · talos-cna@cisco.com
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2000
Exploit, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108