Login Sign Up

CVE-2024-39367

9.1 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes an authenticated OS command injection vulnerability in the Wavlink AC3000 router's firewall.cgi functionality. Attackers with valid credentials can execute arbitrary commands with root privileges, potentially compromising the entire device. Only users of the specific Wavlink AC3000 model with vulnerable firmware are affected.

💻 Affected Systems

Products:
  • Wavlink AC3000
Versions: M33A8.V5030.210505
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the web interface. Default credentials may increase risk.

📦 What is this software?

Wl Wn533a8 Firmware by Wavlink

View all CVEs affecting Wl Wn533a8 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing attacker to install persistent backdoors, pivot to internal networks, intercept all traffic, or brick the device.

🟠

Likely Case

Attacker gains root shell access to the router, enabling traffic interception, credential theft, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact if strong authentication controls prevent unauthorized access and network segmentation isolates the router.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authentication but is trivial to execute once credentials are obtained. Public PoC available in Talos report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Check Wavlink website for firmware updates. If update exists, download and flash via web interface.

🔧 Temporary Workarounds

Disable remote administration

all

Prevent external access to web interface

Navigate to router admin interface > Advanced > Remote Management > Disable

Change default credentials

all

Use strong unique password for admin account

Navigate to router admin interface > System > Password > Set strong password

🧯 If You Can't Patch

  • Isolate router on separate VLAN with strict firewall rules
  • Implement network monitoring for suspicious HTTP requests to firewall.cgi

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System > Firmware. If version is M33A8.V5030.210505, device is vulnerable.

Check Version:

curl -s http://router-ip/cgi-bin/firmware.cgi | grep version

Verify Fix Applied:

Verify firmware version has been updated to a version later than M33A8.V5030.210505.

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /cgi-bin/firewall.cgi with shell metacharacters in parameters
  • Unusual command execution in system logs

Network Indicators:

  • HTTP traffic to router containing pipe characters or semicolons in POST data
  • Outbound connections from router to unexpected destinations

SIEM Query:

source="router-logs" AND uri="/cgi-bin/firewall.cgi" AND (data CONTAINS "|" OR data CONTAINS ";" OR data CONTAINS "`")

📊 Metadata

CVE ID: CVE-2024-39367
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-77
EPSS Score: 1.3% exploit probability (79.4th percentile)
Published: January 14, 2025
Last Updated: August 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39367, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)