Cyber Posture

CVE-2024-39795

CriticalPublic PoC

Published: 14 January 2025

Published
14 January 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0004 13.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39795 is a critical-severity External Control of System or Configuration Setting (CWE-15) vulnerability in Wavlink Wl-Wn533A8 Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates configuration injection vulnerability by validating HTTP POST parameters such as ftp_max_sessions in the nas.cgi set_nas() function.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations to prevent permission bypass in the ProFTPD configuration functionality via specially crafted authenticated HTTP requests.

CM-5 Access Restrictions for Change good match
prevent

Restricts logical access to configuration change capabilities in nas.cgi, limiting high-privilege authenticated attackers from unauthorized ProFTPD modifications.

NVD Description

Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection…

more

vulnerability exists in the `ftp_max_sessions` POST parameter.

Deeper analysisAI

CVE-2024-39795 involves multiple external config control vulnerabilities in the nas.cgi set_nas() proftpd functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. These flaws allow a specially crafted HTTP request to bypass permissions, including a configuration injection vulnerability in the ftp_max_sessions POST parameter. The issue is classified under CWE-15 (External Control of System or Configuration Setting) with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical impact potential across confidentiality, integrity, and availability when scope is changed.

An authenticated attacker with high privileges can exploit these vulnerabilities by sending a malicious HTTP request to the affected nas.cgi endpoint. Successful exploitation leads to permission bypass and arbitrary configuration injection, enabling the attacker to alter ProFTPD settings such as maximum sessions, potentially disrupting services or escalating control over the device.

For mitigation details, refer to the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2053, which provides analysis and recommendations specific to this vulnerability.

Details

CWE(s)
CWE-15

Affected Products

wavlink
wl-wn533a8 firmware
m33a8.v5030.210505

CVEs Like This One

CVE-2024-39794Same product: Wavlink Wl-Wn533A8
CVE-2024-39800Same product: Wavlink Wl-Wn533A8
CVE-2024-39602Same product: Wavlink Wl-Wn533A8
CVE-2024-39280Same product: Wavlink Wl-Wn533A8
CVE-2024-39798Same product: Wavlink Wl-Wn533A8
CVE-2024-38666Same product: Wavlink Wl-Wn533A8
CVE-2024-39788Same product: Wavlink Wl-Wn533A8
CVE-2024-39789Same product: Wavlink Wl-Wn533A8
CVE-2024-39799Same product: Wavlink Wl-Wn533A8
CVE-2024-39793Same product: Wavlink Wl-Wn533A8

References