CVE-2024-36295 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2024-36295?

CVE-2024-36295 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows authenticated attackers to execute arbitrary commands on Wavlink AC3000 routers via a crafted HTTP request to the qos.cgi endpoint. Attackers with network access to the router's web interface can gain full system control. Only users of specific Wavlink router models with vulnerable firmware are affected.

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary commands on Wavlink AC3000 routers via a crafted HTTP request to the qos.cgi endpoint. Attackers with network access to the router's web interface can gain full system control. Only users of specific Wavlink router models with vulnerable firmware are affected.

💻 Affected Systems

Products:

Wavlink AC3000

Versions: M33A8.V5030.210505 and likely earlier versions

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authentication to the web interface, but default credentials may be used. The qos.cgi endpoint must be accessible.

📦 What is this software?

Wl Wn533a8 Firmware by Wavlink

View all CVEs affecting Wl Wn533a8 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and brick the device.

🟠

Likely Case

Attackers gaining shell access to modify router settings, steal credentials, or use the router as a foothold for further attacks.

🟢

If Mitigated

Limited impact if strong network segmentation, authentication controls, and web interface restrictions are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authentication but is straightforward to execute once authenticated. Public technical details available in Talos report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Wavlink website for firmware updates. 2. Download latest firmware for AC3000. 3. Log into router web interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable QoS Web Interface

all

Disable or restrict access to the QoS functionality in router settings

Change Default Credentials

all

Change router admin password from default to strong unique password

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Disable remote administration and restrict web interface to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under System Status or About page

Check Version:

Login to router web interface and check firmware version in system settings

Verify Fix Applied:

Verify firmware version is newer than M33A8.V5030.210505

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /cgi-bin/qos.cgi
Multiple failed authentication attempts followed by successful login

Network Indicators:

HTTP requests with command injection patterns to router IP
Unusual outbound connections from router

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/qos.cgi" OR uri="/qos.cgi") AND method="POST"

📊 Metadata

CVE ID: CVE-2024-36295

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-74

EPSS Score: 2.74% exploit probability (85.7th percentile)

Published: January 14, 2025

Last Updated: August 21, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2047 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2047 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36295, you might also want to check these: