Login Sign Up

CVE-2024-39358

9.1 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in the Wavlink AC3000 router's adm.cgi set_wzap() function allows authenticated attackers to execute arbitrary code via specially crafted HTTP requests. This affects Wavlink AC3000 M33A8.V5030.210505 firmware users. Attackers with network access to the router's admin interface can potentially gain full system control.

💻 Affected Systems

Products:
  • Wavlink AC3000
Versions: M33A8.V5030.210505
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to admin interface. Default credentials may increase risk if not changed.

📦 What is this software?

Wl Wn533a8 Firmware by Wavlink

View all CVEs affecting Wl Wn533a8 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to connected devices, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attacker to modify router settings, intercept traffic, or use device as pivot point for internal network attacks.

🟢

If Mitigated

Limited impact if strong authentication, network segmentation, and proper access controls prevent unauthorized access to admin interface.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authentication but is straightforward once credentials are obtained. Public PoC available in Talos report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Wavlink website for firmware updates. 2. Download latest firmware for AC3000. 3. Log into router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router after update completes.

🔧 Temporary Workarounds

Disable Remote Admin Access

all

Prevent external access to admin interface

Login to router admin → System → Remote Management → Disable

Change Default Credentials

all

Use strong, unique admin password

Login to router admin → System → Password → Set strong password

🧯 If You Can't Patch

  • Isolate router on separate VLAN with strict firewall rules
  • Implement network monitoring for suspicious HTTP requests to adm.cgi

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System → Firmware

Check Version:

curl -s http://router-ip/cgi-bin/adm.cgi | grep version

Verify Fix Applied:

Verify firmware version is newer than M33A8.V5030.210505

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /cgi-bin/adm.cgi with set_wzap parameter
  • Unusual admin login attempts

Network Indicators:

  • HTTP traffic to router admin interface with large payloads
  • Suspicious POST requests to adm.cgi

SIEM Query:

source="router-logs" AND uri="/cgi-bin/adm.cgi" AND method="POST" AND params CONTAINS "set_wzap"

📊 Metadata

CVE ID: CVE-2024-39358
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-120
EPSS Score: 0.48% exploit probability (64.4th percentile)
Published: January 14, 2025
Last Updated: August 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39358, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)