CVE-2024-39790 is a critical security vulnerability identified in the Wavlink AC3000 router firmware version M33A8.V5030.210505. The flaw resides in the nas.cgi set_ftp_cfg() functionality, specifically within the handling of the ftp_max_sessions POST parameter. This vulnerability falls under CWE-15, which involves external control of system or configuration settings. An attacker with valid authentication credentials can send specially crafted HTTP requests to the nas.cgi endpoint to manipulate FTP configuration parameters, bypassing permission checks. This configuration injection can lead to unauthorized changes in system settings, potentially allowing the attacker to escalate privileges, disrupt services, or exfiltrate sensitive data. The vulnerability has a CVSS v3.1 score of 9.1, reflecting its critical nature due to network attack vector (AV:N), low attack complexity (AC:L), requirement for high privileges (PR:H), no user interaction (UI:N), and impact on confidentiality, integrity, and availability (all high). Although no public exploits are currently known, the vulnerability's characteristics make it a significant risk, especially in environments where Wavlink AC3000 routers are deployed. The lack of available patches at the time of reporting increases the urgency for interim mitigations. The vulnerability highlights the risks associated with insufficient validation and authorization controls in router configuration interfaces, which are common targets for attackers aiming to compromise network infrastructure.

For European organizations, exploitation of CVE-2024-39790 could lead to severe consequences including unauthorized configuration changes, disruption of FTP services, potential network compromise, and data breaches. Given the criticality of the vulnerability, attackers could leverage it to gain persistent access or disrupt business operations. Organizations relying on Wavlink AC3000 routers for critical network functions or in sensitive sectors such as finance, healthcare, or government could face significant operational and reputational damage. The vulnerability’s ability to impact confidentiality, integrity, and availability simultaneously makes it particularly dangerous. Additionally, the requirement for authentication means insider threats or compromised credentials could facilitate exploitation. The absence of patches necessitates immediate risk management to prevent exploitation, especially in environments with remote administrative access enabled. The impact is magnified in distributed networks where compromised routers can serve as footholds for lateral movement or as launch points for broader attacks.

1. Immediately restrict administrative access to the Wavlink AC3000 router management interface by limiting it to trusted IP addresses and using VPNs for remote access. 2. Enforce strong authentication mechanisms and rotate credentials regularly to reduce the risk of credential compromise. 3. Monitor router logs and network traffic for unusual FTP configuration changes or unauthorized HTTP requests to the nas.cgi endpoint. 4. Disable FTP services if not required or limit FTP session parameters manually to safe values. 5. Segment networks to isolate critical infrastructure from devices running vulnerable firmware. 6. Engage with Wavlink support channels to obtain firmware updates or patches as soon as they become available. 7. Consider deploying network-based intrusion detection/prevention systems (IDS/IPS) with signatures targeting exploitation attempts of this vulnerability. 8. Conduct regular security assessments and penetration tests focusing on router configurations and access controls. 9. Educate network administrators about the risks of configuration injection vulnerabilities and the importance of secure router management practices.