CVE-2024-39764 in AC3000
Summary
by MITRE • 01/14/2025
Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists in the `dest` POST parameter.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/22/2025
The vulnerability identified as CVE-2024-39764 represents a critical command injection flaw within the Wavlink AC3000 M33A8.V5030.210505 router firmware, specifically affecting the internet.cgi set_add_routing() functionality. This issue falls under the CWE-77 category of Command Injection, where untrusted data is improperly incorporated into system commands without adequate sanitization or validation. The vulnerability is particularly concerning because it allows authenticated attackers to execute arbitrary commands on the affected device, effectively providing complete control over the router's operations.
The technical exploitation occurs through the dest POST parameter within the internet.cgi endpoint, which processes routing configuration data. When an authenticated user submits a malicious HTTP request containing specially crafted command sequences in the dest parameter, the router fails to properly sanitize this input before incorporating it into system commands. This allows attackers to inject operating system commands that are then executed with the privileges of the web server process, typically running with administrative privileges on the device. The vulnerability demonstrates poor input validation practices and inadequate parameter sanitization mechanisms that are fundamental to secure application development.
Operationally, this vulnerability creates a severe security risk for organizations and individuals using the affected Wavlink routers, as it enables complete compromise of the network gateway. An attacker with valid credentials can execute commands such as spawning reverse shells, modifying routing tables, disabling security features, or even installing malicious firmware. The impact extends beyond the immediate device compromise, as compromised routers can serve as entry points for broader network infiltration, lateral movement, and persistent access. This aligns with ATT&CK technique T1059.001 for command and scripting interpreter, where adversaries use legitimate system utilities to execute malicious code.
Mitigation strategies for this vulnerability should include immediate firmware updates from Wavlink to address the command injection flaw, implementation of network segmentation to limit the attack surface, and enforcement of strict access controls for router administration interfaces. Network administrators should also consider monitoring for suspicious HTTP requests containing command injection patterns and implement web application firewalls to detect and block malicious payloads. The vulnerability highlights the importance of input validation and proper sanitization of user-supplied data, principles that are fundamental to the OWASP Top Ten security controls and should be integrated into all network device development processes to prevent similar issues in the future.