CRITICAL🇵🇱 Wersja polska

CVE-2024-39754

CVSS 10.0v3.1pub. 2025-01-14upd. 2025-08-21

A static login vulnerability exists in the wctrls functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted set of network packets can lead to root access. An attacker can send packets to trigger this vulnerability.

🤖 AI Analysis
How it works

Static login credentials are hardcoded in the wctrls functionality of the Wavlink AC3000 M33A8 device and cannot be changed by the user. By sending specially crafted network packets to the vulnerable device, an attacker can use these credentials to authenticate without knowing any credentials. As a result, the attacker gains root-level access without requiring any user interaction.

Impact

Attacker gains full, unauthenticated root access to the device, meaning complete control — ability to read and modify configuration, intercept network traffic, and further use the device as an entry point to the network.

Mitigation & patch

Apply patches available from the manufacturer according to references. It is recommended to restrict network access to the device management panel (firewall-level filtering, VLAN isolation) until the update is deployed.

Who is affected

Wavlink AC3000 M33A8, firmware version V5030.210505 (products: Wavlink Wl-Wn533A8 / Wl-Wn533A8 Firmware)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Wavlink Wl Wn533a8

    HW
    Wavlink
    wszystkie wersje
  • Wavlink Wl Wn533a8 Firmware

    OS
    Wavlink
    m33a8.v5030.210505
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-21797CRITICAL9.1PL ✓ten sam produkt

Command injection w Wavlink AC3000 — wykonanie dowolnych poleceń przez adm.cgi

CVE-2024-34166CRITICAL10.0PL ✓ten sam produkt

Command injection w firmware Wavlink AC3000 — zdalne wykonanie kodu

CVE-2024-34544CRITICAL9.1PL ✓ten sam produkt

Command injection w Wavlink AC3000 – nieautoryzowane wykonanie poleceń

CVE-2024-36258CRITICAL10.0PL ✓ten sam produkt

Stack-based buffer overflow w Wavlink AC3000 umożliwia RCE przez HTTP

CVE-2024-36272CRITICAL9.1PL ✓ten sam produkt

Buffer overflow w Wavlink AC3000 — podatność w funkcji set_info() usbip.cgi