CVE-2024-37357 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2024-37357?

CVE-2024-37357 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows authenticated attackers to execute arbitrary code on Wavlink AC3000 routers by sending a specially crafted HTTP request that triggers a stack-based buffer overflow. Attackers with access to the admin interface can exploit this to gain full control of affected devices. Only Wavlink AC3000 routers running specific vulnerable firmware versions are affected.

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary code on Wavlink AC3000 routers by sending a specially crafted HTTP request that triggers a stack-based buffer overflow. Attackers with access to the admin interface can exploit this to gain full control of affected devices. Only Wavlink AC3000 routers running specific vulnerable firmware versions are affected.

💻 Affected Systems

Products:

Wavlink AC3000

Versions: M33A8.V5030.210505 and possibly earlier versions

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin authentication, but default credentials may be used if not changed. TR069 functionality must be enabled.

📦 What is this software?

Wl Wn533a8 Firmware by Wavlink

View all CVEs affecting Wl Wn533a8 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network pivoting, credential theft, and botnet recruitment.

🟠

Likely Case

Local network attacker gains administrative control of router, enabling traffic interception, DNS manipulation, and lateral movement.

🟢

If Mitigated

Isolated impact limited to router compromise if network segmentation prevents lateral movement and external access is blocked.

🌐 Internet-Facing: HIGH - If admin interface is exposed to internet, attackers can remotely exploit without internal access.

🏢 Internal Only: HIGH - Attackers on local network with admin credentials can exploit to gain full device control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authentication but buffer overflow exploitation is well-understood. No public exploit code available at disclosure time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Wavlink website for firmware updates. 2. Download latest firmware for AC3000. 3. Log into router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router after update completes.

🔧 Temporary Workarounds

Disable TR069 remote management

all

Disable the TR069 protocol functionality that contains the vulnerable set_TR069() function

Change default admin credentials

all

Change default admin password to strong, unique credentials to prevent authentication

Restrict admin interface access

all

Block external access to admin interface and restrict to trusted internal IPs only

🧯 If You Can't Patch

Isolate affected routers in separate VLAN with strict firewall rules
Implement network monitoring for unusual HTTP requests to adm.cgi endpoint

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Status or Firmware Update section

Check Version:

Login to router web interface and navigate to System Information page

Verify Fix Applied:

Verify firmware version is newer than M33A8.V5030.210505 and test TR069 functionality

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /cgi-bin/adm.cgi
Multiple failed authentication attempts followed by successful login
Large payloads in TR069-related requests

Network Indicators:

HTTP traffic to router on non-standard ports
Unusual outbound connections from router after exploitation
TR069 protocol traffic from unexpected sources

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/adm.cgi" OR method="POST" AND uri CONTAINS "adm.cgi") AND size>1024

📊 Metadata

CVE ID: CVE-2024-37357

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-120

EPSS Score: 0.68% exploit probability (71.2th percentile)

Published: January 14, 2025

Last Updated: August 21, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2029 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2029 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37357, you might also want to check these: