Slew of WavLink vulnerabilities

Wednesday, January 15, 2025 08:00

Lilith >_> of Cisco Talos discovered these vulnerabilities.

Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.

The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point.

Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability disclosure policy. Wavlink has declined to release a patch for these vulnerabilities.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Static login vulnerability **

An attacker can send a specially crafted set of network packets over WAN to gain root access to the router via the wcrtrl service and static login credentials.

Static Login

• TALOS-2024-2034 (CVE-2024-39754): Static login

**Ten .cgi vulnerabilities **

An unauthenticated HTTP request can trigger the following types of vulnerabilities:

touchlist_sync.cgi

• TALOS-2024-1999 (CVE-2022-2488): Arbitrary code execution
• TALOS-2024-2000 (CVE-2024-34166): Command injection
• TALOS-2024-2046 (CVE-2024-36258): Buffer overflow

Login.cgi

• TALOS-2024-2017 (CVE-2024-39363): Persistent XXS
• TALOS-2024-2018 (CVE-2024-39759-CVE-2024-39761): Command injection
• TALOS-2024-2019 (CVE-2024-36290): Buffer overflow
• TALOS-2024-2036 (CVE-2024-39608): Unauthenticated firmware upload

internet.cgi

• TALOS-2024-2020 (CVE-2024-39762-CVE-2024-39765): Command injection
• TALOS-2024-2021 (CVE-2024-39288): Buffer overflow
• TALOS-2024-2022 (CVE-2024-39768-CVE-2024-39770): Buffer overflow

firewall.cgi

• TALOS-2024-2023 (CVE-2024-39367): Command injection

adm.cgi

• TALOS-2024-2024 (CVE-2024-39756): Buffer overflow
• TALOS-2024-2025 (CVE-2024-37184): Buffer overflow
• TALOS-2024-2026 (CVE-2024-39294): Buffer overflow
• TALOS-2024-2027 (CVE-2024-39358): Buffer overflow
• TALOS-2024-2028 (CVE-2024-21797): Command injection
• TALOS-2024-2029 (CVE-2024-37357): Buffer overflow
• TALOS-2024-2030 (CVE-2024-39774): Buffer overflow
• TALOS-2024-2031 (CVE-2024-39370): Arbitrary code execution
• TALOS-2024-2032 (CVE-2024-37186): OS command injection
• TALOS-2024-2033 (CVE-2024-39781-CVE-2024-39783): OS Command injection

wireless.cgi

• TALOS-2024-2039 (CVE-2024-39357): Buffer overflow
• TALOS-2024-2040 (CVE-2024-39359): Buffer overflow
• TALOS-2024-2041 (CVE-2024-36493): Buffer overflow
• TALOS-2024-2042 (CVE-2024-39603): Buffer overflow
• TALOS-2024-2043 (CVE-2024-39757): Buffer overflow
• TALOS-2024-2044 (CVE-2024-34544): Command injection

usbip.cgi

• TALOS-2024-2045 (CVE-2024-36272): Buffer overflow

qos.cgi

• TALOS-2024-2047 (CVE-2024-36295): Command injection
• TALOS-2024-2048 (CVE-2024-39299): Buffer overflow
• TALOS-2024-2049 (CVE-2024-39801-CVE-2024-39803): Buffer overflow

openvpn.cgi

• TALOS-2024-2050 (CVE-2024-39798-CVE-2024-39800): Configuration control
• TALOS-2024-2051 (CVE-2024-38666): Configuration control

nas.cgi

• TALOS-2024-2052 (CVE-2024-39602): Configuration control
• TALOS-2024-2053 (CVE-2024-39793-CVE-2024-39795): Configuration control
• TALOS-2024-2054 (CVE-2024-39360): Command injection
• TALOS-2024-2055 (CVE-2024-39280): Configuration control
• TALOS-2024-2056 (CVE-2024-39788-CVE-2024-39790): Configuration control
• TALOS-2024-2057 (CVE-2024-39786-CVE-2024-39787): Directory traversal
• TALOS-2024-2058 (CVE-2024-39784-CVE-2024-39785): Command injection

**Three .sh vulnerabilities **

Attackers can send specially crafted HTTP requests. A man-in-the-middle attack can trigger the fw_check.sh and update_filter_url.sh vulnerabilities.

testsave.sh

• TALOS-2024-2035 (CVE-2024-39773): Firmware update

fw_check.sh

• TALOS-2024-2037 (CVE-2024-39273): Firmware upload

update_filter_url.sh

• TALOS-2024-2038 (CVE-2024-39604): Argument injection