CVE-2024-39795 in AC3000
Summary
by MITRE • 01/14/2025
Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists in the `ftp_max_sessions` POST parameter.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/22/2025
The vulnerability identified as CVE-2024-39795 affects the Wavlink AC3000 M33A8.V5030.210505 router firmware, specifically within the nas.cgi component that handles proftpd configuration through the set_nas() function. This issue represents a critical security flaw in the device's web-based administration interface that allows unauthorized privilege escalation through manipulation of external configuration parameters. The vulnerability stems from inadequate input validation and sanitization mechanisms within the web application layer that processes user-supplied data for FTP service configuration.
The technical implementation of this vulnerability manifests through multiple attack vectors that exploit weaknesses in the configuration management system. The primary flaw occurs in the ftp_max_sessions POST parameter processing where the application fails to properly validate or sanitize user input before incorporating it into the proftpd configuration. This creates a configuration injection vulnerability that allows attackers to inject malicious parameters that bypass normal access controls. The vulnerability is particularly concerning because it operates through authenticated HTTP requests, meaning an attacker must first establish valid credentials but can then leverage this flaw to escalate privileges and gain unauthorized access to system configuration parameters.
The operational impact of this vulnerability extends beyond simple permission bypass to potentially enable full system compromise. An attacker who successfully exploits this vulnerability can manipulate the proftpd service configuration to gain unauthorized access to network resources, potentially leading to data exfiltration, system takeover, or use as a pivot point for further attacks within the network. The configuration injection aspect means that malicious parameters could be used to modify critical FTP service settings, potentially allowing for anonymous access or privilege escalation within the FTP subsystem. This vulnerability aligns with CWE-94 (Improper Control of Generation of Code) and CWE-79 (Improper Neutralization of Input During Web Page Generation) categories, representing code injection and input validation failures that compromise system integrity.
The attack surface for this vulnerability is limited to authenticated users who can make HTTP requests to the affected web interface, but the consequences are severe enough to warrant immediate remediation. The issue demonstrates poor security practices in input validation and configuration management, where user-supplied parameters are directly incorporated into system configurations without proper sanitization. From an ATT&CK framework perspective, this vulnerability maps to T1078 (Valid Accounts) for the authentication requirement and T1543 (Create or Modify System Process) for the configuration modification capabilities. The vulnerability also represents a failure in the principle of least privilege, as the authenticated user can manipulate system-level configurations that should be restricted to administrative users only.
Mitigation strategies should focus on implementing proper input validation, sanitization, and parameter escaping before any user-supplied data is processed for configuration changes. The firmware should be updated with proper access controls that enforce strict validation of all configuration parameters, particularly those related to service configuration. Network segmentation and monitoring should be implemented to detect unusual configuration changes, while regular security audits should be conducted to identify similar vulnerabilities in other system components. Organizations should also consider implementing network-based intrusion detection systems that can identify suspicious HTTP requests targeting configuration parameters, and ensure that all devices are running the latest firmware versions that address this specific vulnerability.