Login Sign Up

CVE-2024-39768

9.1 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

This CVE describes multiple buffer overflow vulnerabilities in the Wavlink AC3000 router's internet.cgi set_qos() function. An authenticated attacker can send specially crafted HTTP requests to trigger stack-based buffer overflows via the cli_name POST parameter, potentially leading to remote code execution. This affects users of Wavlink AC3000 routers with vulnerable firmware versions.

💻 Affected Systems

Products:
  • Wavlink AC3000
Versions: M33A8.V5030.210505 and likely earlier versions
Operating Systems: Embedded Linux firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the web interface, but default credentials may be used.

📦 What is this software?

Wl Wn533a8 Firmware by Wavlink

View all CVEs affecting Wl Wn533a8 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with administrative privileges, allowing complete device takeover, network compromise, and lateral movement to connected systems.

🟠

Likely Case

Device crash/reboot causing service disruption, or limited code execution within the router's constrained environment.

🟢

If Mitigated

Denial of service through device crash if exploit attempts are blocked or fail.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authentication but uses simple buffer overflow techniques. Public details available in Talos report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Wavlink website for firmware updates. 2. Download latest firmware. 3. Log into router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable QoS functionality

all

Turn off Quality of Service feature to prevent access to vulnerable set_qos() function

Change default credentials

all

Use strong, unique passwords for router admin interface

🧯 If You Can't Patch

  • Isolate router on separate VLAN with strict firewall rules
  • Disable remote administration and limit web interface access to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Status or Firmware Update section

Check Version:

Login to router web interface and navigate to firmware/status page

Verify Fix Applied:

Verify firmware version matches or exceeds patched version from vendor

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to internet.cgi with long cli_name parameter
  • Router crash/reboot logs
  • Multiple failed authentication attempts followed by successful login

Network Indicators:

  • HTTP traffic to router on port 80/443 with unusually long POST parameters
  • Traffic patterns matching exploit payloads

SIEM Query:

source="router_logs" AND (url="*internet.cgi*" AND method="POST" AND param_length>100) OR event="device_reboot"

📊 Metadata

CVE ID: CVE-2024-39768
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-120
EPSS Score: 0.25% exploit probability (48.1th percentile)
Published: January 14, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39768, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)