Details of VAR-202501-1300

ID

VAR-202501-1300

CVE

CVE-2024-39367

TITLE

WAVLINK AC3000 firewall.cgi iptablesWebsFilterRun function command injection vulnerability

Trust: 0.6

sources: CNVD: CNVD-2025-02232

DESCRIPTION

An os command injection vulnerability exists in the firewall.cgi iptablesWebsFilterRun() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. WAVLINK AC3000 is a wireless router from WAVLINK, a Chinese company. The vulnerability is caused by the firewall.cgi iptablesWebsFilterRun function failing to properly filter special characters and commands in the constructed command. Attackers can exploit this vulnerability to cause arbitrary command execution

Trust: 1.44

sources: NVD: CVE-2024-39367 // CNVD: CNVD-2025-02232

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-02232

AFFECTED PRODUCTS

vendor:

wavlink

model:

ac3000 m33a8.v5030.210505

scope:

version:

Trust: 0.6

sources: CNVD: CNVD-2025-02232

CVSS

SEVERITY

CVSSV2

CVSSV3

talos-cna@cisco.com:	CVE-2024-39367
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2025-02232
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-02232
severity:	HIGH
baseScore:	8.3
vectorString:	AV:N/AC:L/AU:M/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.4
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

talos-cna@cisco.com:	CVE-2024-39367
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.3
impactScore:	6.0
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2025-02232 // NVD: CVE-2024-39367

PROBLEMTYPE DATA

problemtype:

CWE-77

Trust: 1.0

sources: NVD: CVE-2024-39367

PATCH

title:

Patch for WAVLINK AC3000 firewall.cgi iptablesWebsFilterRun function command injection vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/652326

Trust: 0.6

sources: CNVD: CNVD-2025-02232

EXTERNAL IDS

db:	NVD	id:	CVE-2024-39367	Trust: 1.6
db:	TALOS	id:	TALOS-2024-2023	Trust: 1.0
db:	CNVD	id:	CNVD-2025-02232	Trust: 0.6

sources: CNVD: CNVD-2025-02232 // NVD: CVE-2024-39367

REFERENCES

url:	https://talosintelligence.com/vulnerability_reports/talos-2024-2023	Trust: 1.0
url:	https://www.talosintelligence.com/vulnerability_reports/talos-2024-2023	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2024-39367	Trust: 0.6

sources: CNVD: CNVD-2025-02232 // NVD: CVE-2024-39367

SOURCES

db:	CNVD	id:	CNVD-2025-02232
db:	NVD	id:	CVE-2024-39367

LAST UPDATE DATE

2025-01-25T22:55:57.854000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-02232	date:	2025-01-23T00:00:00
db:	NVD	id:	CVE-2024-39367	date:	2025-01-14T16:15:31.330

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-02232	date:	2025-01-21T00:00:00
db:	NVD	id:	CVE-2024-39367	date:	2025-01-14T15:15:19.677