CVE-2024-39798
Published: 14 January 2025
Summary
CVE-2024-39798 is a critical-severity External Control of System or Configuration Setting (CWE-15) vulnerability in Wavlink Wl-Wn533A8 Firmware. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-39798 involves multiple external config control vulnerabilities in the openvpn.cgi openvpn_server_setup() functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution, including a configuration injection vulnerability in the `sel_open_protocol` POST parameter. The vulnerability is classified under CWE-15 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
An attacker with high privileges can exploit these vulnerabilities by sending an authenticated HTTP request to the affected component. Successful exploitation results in arbitrary command execution on the device, potentially allowing full compromise given the high impacts on confidentiality, integrity, and availability, along with a change in scope.
Mitigation details are available in the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2050.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38342
Vulnerability details
Multiple external config control vulnerabilities exists in the openvpn.cgi openvpn_server_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection…
more
vulnerability exists in the `sel_open_protocol` POST parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing router web CGI enables remote exploitation for command execution on network device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents configuration injection vulnerabilities by validating and sanitizing inputs like the sel_open_protocol POST parameter to block arbitrary command execution.
Ensures timely remediation of the specific flaw in openvpn.cgi openvpn_server_setup() through vendor patching, eliminating the vulnerability.
Enforces secure baseline configuration settings for OpenVPN components to restrict unsafe configurations that could be exploited via external inputs.