CVE-2024-39802 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2024-39802?

CVE-2024-39802 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows authenticated attackers to execute arbitrary code on Wavlink AC3000 routers by sending specially crafted HTTP requests that trigger buffer overflows in the QoS settings functionality. Attackers could gain full control of affected devices. Only users of specific Wavlink router models with vulnerable firmware are affected.

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary code on Wavlink AC3000 routers by sending specially crafted HTTP requests that trigger buffer overflows in the QoS settings functionality. Attackers could gain full control of affected devices. Only users of specific Wavlink router models with vulnerable firmware are affected.

💻 Affected Systems

Products:

Wavlink AC3000

Versions: M33A8.V5030.210505 and likely earlier versions

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires access to web management interface with valid credentials

📦 What is this software?

Wl Wn533a8 Firmware by Wavlink

View all CVEs affecting Wl Wn533a8 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistence, network pivoting, and data exfiltration

🟠

Likely Case

Router takeover allowing traffic interception, DNS manipulation, and credential theft

🟢

If Mitigated

Limited impact if proper network segmentation and authentication controls prevent access to management interface

🌐 Internet-Facing: HIGH - HTTP management interface often exposed to internet on consumer routers

🏢 Internal Only: MEDIUM - Requires authenticated access but internal attackers could exploit

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authentication but buffer overflow exploitation is well-understood

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Wavlink website for firmware updates 2. Download latest firmware 3. Upload via web interface 4. Reboot router

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to web management interface

Network segmentation

all

Isolate router management interface to trusted network

🧯 If You Can't Patch

Disable QoS functionality if not required
Implement strict firewall rules to limit access to router management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Status

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Verify firmware version is newer than M33A8.V5030.210505

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /cgi-bin/qos.cgi with long qos_dat parameters
Multiple failed authentication attempts followed by successful login

Network Indicators:

HTTP traffic to router management port with unusually long POST data
Outbound connections from router to unexpected destinations

SIEM Query:

http.method:POST AND http.uri:"/cgi-bin/qos.cgi" AND http.request_body_length > 1000

📊 Metadata

CVE ID: CVE-2024-39802

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-120

EPSS Score: 0.25% exploit probability (48.1th percentile)

Published: January 14, 2025

Last Updated: November 3, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2049 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2049

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39802, you might also want to check these: