CVE-2024-39789
Published: 14 January 2025
Summary
CVE-2024-39789 is a critical-severity External Control of System or Configuration Setting (CWE-15) vulnerability in Wavlink Wl-Wn533A8 Firmware. Its CVSS base score is 9.1 (Critical).
Operationally, ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates configuration injection vulnerability by validating inputs like the ftp_port POST parameter to prevent external control of system configurations.
Enforces approved authorizations to counter the permission bypass in the nas.cgi set_ftp_cfg() functionality exploited via crafted HTTP requests.
Restricts and authorizes access to configuration changes, preventing unauthorized modifications to FTP settings even by high-privilege users exploiting the vulnerability.
NVD Description
Multiple external config control vulnerabilities exist in the nas.cgi set_ftp_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability…
more
exists within the `ftp_port` POST parameter.
Deeper analysisAI
CVE-2024-39789 involves multiple external control of configuration vulnerabilities in the nas.cgi set_ftp_cfg() functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. These flaws, classified under CWE-15, enable permission bypass through a specially crafted HTTP request, with a specific configuration injection vulnerability in the ftp_port POST parameter. The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to high impacts on confidentiality, integrity, and availability with a changed scope.
An attacker with high privileges (PR:H) can exploit this by sending an authenticated HTTP request to the vulnerable nas.cgi endpoint. This triggers the permission bypass and configuration injection, potentially allowing arbitrary modifications to system configurations, such as FTP settings, which could lead to unauthorized access, data exposure, service disruption, or further compromise of the device.
Mitigation details are outlined in the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2056, which reported the vulnerabilities on 2025-01-14. Security practitioners should consult this reference for patch availability, workaround guidance, or firmware update recommendations specific to the affected Wavlink AC3000 devices.
Details
- CWE(s)