Cyber Resilience

CVE-2024-39795

CriticalPublic PoC

Published: 14 January 2025

Published
14 January 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0006 19.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39795 is a critical-severity External Control of System or Configuration Setting (CWE-15) vulnerability in Wavlink Wl-Wn533A8 Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).

Deeper analysis

CVE-2024-39795 involves multiple external config control vulnerabilities in the nas.cgi set_nas() proftpd functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. These flaws allow a specially crafted HTTP request to bypass permissions, including a configuration injection vulnerability in the ftp_max_sessions POST parameter. The issue is classified under CWE-15 (External Control of System or Configuration Setting) with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical impact potential across confidentiality, integrity, and availability when scope is changed.

An authenticated attacker with high privileges can exploit these vulnerabilities by sending a malicious HTTP request to the affected nas.cgi endpoint. Successful exploitation leads to permission bypass and arbitrary configuration injection, enabling the attacker to alter ProFTPD settings such as maximum sessions, potentially disrupting services or escalating control over the device.

For mitigation details, refer to the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2053, which provides analysis and recommendations specific to this vulnerability.

EU & UK References

Vulnerability details

Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection…

more

vulnerability exists in the `ftp_max_sessions` POST parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in public-facing nas.cgi endpoint enables authenticated config injection and permission bypass on network device.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-39793Same product: Wavlink Wl-Wn533A8
CVE-2024-39799Same product: Wavlink Wl-Wn533A8
CVE-2024-39788Same product: Wavlink Wl-Wn533A8
CVE-2024-39790Same product: Wavlink Wl-Wn533A8
CVE-2024-39794Same product: Wavlink Wl-Wn533A8
CVE-2024-39789Same product: Wavlink Wl-Wn533A8
CVE-2024-39602Same product: Wavlink Wl-Wn533A8
CVE-2024-38666Same product: Wavlink Wl-Wn533A8
CVE-2024-39280Same product: Wavlink Wl-Wn533A8
CVE-2024-39800Same product: Wavlink Wl-Wn533A8

Affected Assets

wavlink
wl-wn533a8 firmware
m33a8.v5030.210505

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates configuration injection vulnerability by validating HTTP POST parameters such as ftp_max_sessions in the nas.cgi set_nas() function.

prevent

Enforces approved authorizations to prevent permission bypass in the ProFTPD configuration functionality via specially crafted authenticated HTTP requests.

prevent

Restricts logical access to configuration change capabilities in nas.cgi, limiting high-privilege authenticated attackers from unauthorized ProFTPD modifications.

References