Cyber Resilience

CVE-2024-39604

CriticalPublic PoC

Published: 14 January 2025

Published
14 January 2025
Modified
21 August 2025
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0102 77.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39604 is a critical-severity Injection (CWE-74) vulnerability in Wavlink Wl-Wn533A8 Firmware. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-39604 is a command execution vulnerability in the update_filter_url.sh functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. The flaw allows a specially crafted HTTP request to trigger arbitrary command execution on the device. It has been assigned a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-74, indicating an injection-related issue.

The vulnerability can be exploited by a remote attacker performing a man-in-the-middle (MitM) attack, which aligns with the high attack complexity (AC:H) in its CVSS vector. No user privileges or interaction are required (PR:N/UI:N), and successful exploitation grants high-impact scope (S:C) with full confidentiality, integrity, and availability compromise (C:H/I:H/A:H), enabling arbitrary command execution on the targeted router.

Details on mitigation, including any patches or workarounds, are available in the Cisco Talos Intelligence advisory TALOS-2024-2038, accessible at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2038. The vulnerability was published on 2025-01-14.

EU & UK References

Vulnerability details

A command execution vulnerability exists in the update_filter_url.sh functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote command injection in public-facing router HTTP endpoint (update_filter_url.sh) enables exploitation of public-facing applications for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-21797Same product: Wavlink Wl-Wn533A8
CVE-2024-39784Same product: Wavlink Wl-Wn533A8
CVE-2024-39785Same product: Wavlink Wl-Wn533A8
CVE-2024-34544Same product: Wavlink Wl-Wn533A8
CVE-2024-36295Same product: Wavlink Wl-Wn533A8
CVE-2024-39803Same product: Wavlink Wl-Wn533A8
CVE-2024-37184Same product: Wavlink Wl-Wn533A8
CVE-2024-34166Same product: Wavlink Wl-Wn533A8
CVE-2024-39786Same product: Wavlink Wl-Wn533A8
CVE-2024-39790Same product: Wavlink Wl-Wn533A8

Affected Assets

wavlink
wl-wn533a8 firmware
m33a8.v5030.210505

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates and sanitizes HTTP inputs to the update_filter_url.sh script, directly preventing command injection from specially crafted requests.

prevent

Enforces transmission confidentiality and integrity to block man-in-the-middle attacks required to deliver the malicious HTTP request.

prevent

Promptly remediates the specific injection flaw in the router firmware via patching as advised in the Talos report.

References