Cyber Resilience

CVE-2024-39764

CriticalPublic PoCRCE

Published: 14 January 2025

Published
14 January 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0058 69.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39764 is a critical-severity Command Injection (CWE-77) vulnerability in Wavlink Wl-Wn533A8 Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-39764 consists of multiple OS command injection vulnerabilities (CWE-77) in the internet.cgi set_add_routing() functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. These flaws, including a specific command injection issue in the "dest" POST parameter, allow a specially crafted HTTP request to trigger arbitrary command execution on the device. The vulnerability was published on 2025-01-14 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

An authenticated attacker with high privileges (PR:H) can exploit these vulnerabilities remotely over the network with low complexity and no user interaction required. By sending a malicious HTTP request to the affected endpoint, the attacker achieves arbitrary OS command execution, enabling high confidentiality, integrity, and availability impacts in a changed scope (S:C), such as full device compromise, data exfiltration, or persistent access.

The primary advisory from Talos Intelligence, TALOS-2024-2020, documents these vulnerabilities in detail at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2020. Security practitioners should consult this report for recommended mitigations, as no specific patch details are provided in the core CVE information.

EU & UK References

Vulnerability details

Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A command injection…

more

vulnerability exists in the `dest` POST parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in public-facing router web CGI directly enables remote exploitation of the application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-39783Same product: Wavlink Wl-Wn533A8
CVE-2024-39781Same product: Wavlink Wl-Wn533A8
CVE-2024-39367Same product: Wavlink Wl-Wn533A8
CVE-2024-39763Same product: Wavlink Wl-Wn533A8
CVE-2024-39782Same product: Wavlink Wl-Wn533A8
CVE-2024-39765Same product: Wavlink Wl-Wn533A8
CVE-2024-39760Same product: Wavlink Wl-Wn533A8
CVE-2024-37186Same product: Wavlink Wl-Wn533A8
CVE-2024-39761Same product: Wavlink Wl-Wn533A8
CVE-2024-34166Same product: Wavlink Wl-Wn533A8

Affected Assets

wavlink
wl-wn533a8 firmware
m33a8.v5030.210505

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection vulnerabilities by validating and sanitizing untrusted inputs such as the 'dest' POST parameter in the internet.cgi set_add_routing() function.

prevent

Remediates the specific flaws in the Wavlink AC3000 firmware's internet.cgi set_add_routing() functionality through identification, reporting, and correction processes.

prevent

Enforces least privilege to restrict the scope of arbitrary command execution even for authenticated high-privilege (PR:H) users exploiting the vulnerability.

References