CVE-2024-36258
Published: 14 January 2025
Summary
CVE-2024-36258 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Wavlink Wl-Wn533A8 Firmware. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
A stack-based buffer overflow vulnerability exists in the touchlist_sync.cgi touchlistsync() function of the Wavlink AC3000 router running firmware M33A8.V5030.210505. The flaw, tracked as CWE-121, is triggered by a specially crafted HTTP request and can result in arbitrary code execution on the device. It carries a CVSS 3.1 score of 10.0, reflecting network attack vector, low complexity, and no required authentication or user interaction.
An unauthenticated attacker with network access can send a malicious HTTP request to the affected CGI endpoint, causing the overflow and achieving arbitrary code execution with full system impact including confidentiality, integrity, and availability compromise. The references point to detailed technical reports from Cisco Talos that describe the vulnerability but do not include mitigation guidance or patch availability in the supplied information. The associated EPSS score has remained in a moderate range with a modest peak of 0.2028.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36359
Vulnerability details
A stack-based buffer overflow vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send an HTTP request to trigger this vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in unauthenticated HTTP-accessible CGI endpoint directly enables remote exploitation of a public-facing network device for arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification, reporting, and patching of the stack-based buffer overflow flaw in touchlist_sync.cgi to prevent arbitrary code execution.
Enforces validation of HTTP request inputs to block specially crafted requests that trigger the buffer overflow in touchlistsync().
Provides memory safeguards such as stack canaries and ASLR to mitigate exploitation of the stack-based buffer overflow vulnerability.