CVE-2024-39786 in AC3000info

Summary

by MITRE • 01/14/2025

Multiple directory traversal vulnerabilities exist in the nas.cgi add_dir() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A directory traversal vulnerability exists within the `adddir_name` POST parameter.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 08/22/2025

The CVE-2024-39786 vulnerability represents a critical directory traversal flaw within the Wavlink AC3000 M33A8.V5030.210505 firmware, specifically affecting the nas.cgi add_dir() functionality. This vulnerability resides in the web-based management interface of the device and manifests through the adddir_name POST parameter, which processes directory creation requests without proper input validation. The flaw allows attackers to manipulate file paths and potentially access or modify system files beyond the intended scope of the network-attached storage functionality. The vulnerability is particularly concerning as it requires only an authenticated HTTP request, meaning that an attacker who has already gained access to the device's administrative interface can exploit this weakness to escalate privileges and bypass normal file system permissions. This type of vulnerability falls under CWE-22, which specifically addresses improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal. The attack vector leverages the device's handling of user-supplied data in the adddir_name parameter, where malicious input can manipulate the underlying file system operations to navigate to unintended directories.

The operational impact of this vulnerability extends beyond simple file access, as it enables potential privilege escalation and unauthorized system modifications. When an authenticated user submits a crafted HTTP request containing malicious path traversal sequences in the adddir_name parameter, the system fails to properly sanitize the input before processing directory creation operations. This allows attackers to potentially create directories in system locations, overwrite critical files, or access sensitive configuration data that should remain restricted. The vulnerability's exploitation can lead to complete system compromise, as it provides an attacker with the ability to manipulate the device's file system in ways that bypass normal access controls. Security researchers have noted that such directory traversal vulnerabilities are particularly dangerous in network-attached storage devices because they often have extensive file system access and may contain sensitive user data, system configuration files, and potentially credentials. The vulnerability's presence in a consumer-grade router or access point with NAS capabilities makes it especially concerning, as these devices are often deployed in home and small office environments where proper security monitoring may be lacking.

Mitigation strategies for CVE-2024-39786 should focus on immediate firmware updates from Wavlink, as the vulnerability is specific to the M33A8.V5030.210505 firmware version. Network administrators should implement strict access controls and ensure that only authorized personnel have administrative access to the device, as the vulnerability requires authentication to exploit. The implementation of input validation and sanitization measures within the web application framework is essential, particularly for parameters like adddir_name that handle user-supplied directory names. Organizations should also consider network segmentation and monitoring to detect anomalous directory creation activities that might indicate exploitation attempts. From an ATT&CK perspective, this vulnerability aligns with techniques such as T1078 for valid accounts and T1566 for credential harvesting, as it can be used to escalate privileges and access sensitive data. The vulnerability demonstrates how seemingly minor implementation flaws in web application logic can result in significant security implications, particularly when dealing with file system operations and user input handling. Regular security audits of network infrastructure devices, including firmware version checks and vulnerability assessments, are crucial for preventing exploitation of such weaknesses. The vulnerability also highlights the importance of proper secure coding practices and input validation in embedded systems, as these devices often lack the robust security controls found in enterprise-grade systems.

Responsible

Talos

Reservation

06/28/2024

Disclosure

01/14/2025

Moderation

accepted

CPE

ready

EPSS

0.02430

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!