CVE-2024-39793
Published: 14 January 2025
Summary
CVE-2024-39793 is a critical-severity External Control of System or Configuration Setting (CWE-15) vulnerability in Wavlink Wl-Wn533A8 Firmware. Its CVSS base score is 9.1 (Critical).
Operationally, ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent permission bypass in the nas.cgi set_nas() proftpd functionality.
Validates and sanitizes inputs like the ftp_name POST parameter to block configuration injection vulnerabilities.
Restricts access to configuration change endpoints such as nas.cgi to authorized users only, mitigating unauthorized modifications.
NVD Description
Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection…
more
vulnerability exists in the `ftp_name` POST parameter.
Deeper analysisAI
CVE-2024-39793 involves multiple external control of configuration vulnerabilities in the nas.cgi set_nas() proftpd functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. These flaws allow a specially crafted HTTP request to bypass permissions, enabling unauthorized configuration changes. Additionally, a configuration injection vulnerability affects the ftp_name POST parameter, classified under CWE-15 (External Control of System or Configuration Setting). The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact confidentiality, integrity, and availability effects with scope expansion.
An authenticated attacker with high privileges (PR:H) can exploit these issues by sending a malicious HTTP request to the affected nas.cgi endpoint. This triggers permission bypass and configuration injection, potentially allowing the attacker to modify ProFTPD settings or other NAS-related configurations arbitrarily. Successful exploitation grants network-accessible (AV:N) control with low complexity (AC:L) and no user interaction (UI:N), leading to complete compromise of the device's configuration.
Mitigation details and technical analysis are provided in the Talos Intelligence advisory TALOS-2024-2053, available at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2053. Security practitioners should consult this report for patching instructions or workarounds specific to the Wavlink AC3000 device.
Details
- CWE(s)