CVE Catalog

CVE-2024-48705

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

High risk
3.32%

87th percentile - higher than 87% of all known CVEs

Summary

In the firmware of Wavlink AC1200 (versions M32A3_V1410_230602 and M32A3_V1410_240222), a post-authentication command injection vulnerability was found during password reset. The issue resides in the "set_sys_adm" function of the "adm.cgi" binary due to improper sanitization of the "newpass" field.

Risk Assessment

An authenticated attacker can inject arbitrary system commands, leading to full device compromise and potential network security breach.

Recommendation

Immediately update the router firmware to the latest version available from the vendor. If no update is available, restrict administrative panel access to trusted IP addresses only.

Original NVD description (English source)

Wavlink AC1200 with firmware versions M32A3_V1410_230602 and M32A3_V1410_240222 are vulnerable to a post-authentication command injection while resetting the password. This vulnerability is specifically found within the "set_sys_adm" function of the "adm.cgi" binary, and is due to improper santization of the user provided "newpass" field

Vulnerability data from NVD (NIST) · CISA KEV · EPSS