CVE-2024-39794 is a critical security vulnerability identified in the Wavlink AC3000 router firmware version M33A8.V5030.210505. The vulnerability stems from multiple external control of system or configuration settings issues (CWE-15) within the nas.cgi set_nas() function related to the proftpd service. Specifically, the vulnerability allows an authenticated attacker to send specially crafted HTTP POST requests to the router’s management interface, targeting the ftp_port parameter. This parameter is susceptible to configuration injection, enabling the attacker to bypass permission checks and alter system configurations externally. The vulnerability affects confidentiality, integrity, and availability, as unauthorized configuration changes can lead to privilege escalation, data exposure, or denial of service. The CVSS v3.1 score is 9.1 (critical), reflecting network attack vector (AV:N), low attack complexity (AC:L), required privileges (PR:H), no user interaction (UI:N), and scope change (S:C). Although exploitation requires authentication, the lack of user interaction and the critical impact make this a severe threat. No public exploits have been reported yet, but the vulnerability’s nature suggests it could be leveraged for persistent unauthorized access or network disruption. The vulnerability is specific to the Wavlink AC3000 model running the specified firmware version, emphasizing the need for targeted patching and configuration review.

For European organizations, this vulnerability poses a significant risk to network security and operational continuity. Unauthorized configuration changes could allow attackers to redirect traffic, disable security controls, or create backdoors, compromising sensitive data confidentiality and network integrity. The critical severity and scope change imply that a successful exploit could affect multiple systems connected to the compromised router, potentially leading to widespread disruption. Organizations relying on Wavlink AC3000 devices for critical network infrastructure may face service outages or data breaches. Given the requirement for authentication, insider threats or compromised credentials increase the risk. The absence of public exploits currently reduces immediate risk but does not eliminate the threat, especially in environments with weak access controls. The impact extends to regulatory compliance, as data breaches or service interruptions could violate GDPR and other European cybersecurity regulations.

1. Immediately restrict administrative access to the Wavlink AC3000 management interface by limiting it to trusted IP addresses or VPN connections. 2. Enforce strong authentication mechanisms and regularly update credentials to reduce the risk of credential compromise. 3. Monitor network traffic and logs for unusual HTTP POST requests targeting nas.cgi or changes to FTP-related configurations. 4. Disable or restrict proftpd service usage if not required to minimize attack surface. 5. Apply firmware updates or patches from Wavlink as soon as they become available to address this vulnerability. 6. Implement network segmentation to isolate vulnerable devices from critical systems. 7. Conduct regular vulnerability assessments and penetration testing focusing on router configurations and access controls. 8. Educate network administrators about the risks of configuration injection attacks and the importance of secure management practices.