CVE-2024-48705
MediumCVSS 6.5Exploitation Probability (EPSS)
High risk87th percentile - higher than 87% of all known CVEs
Summary
In the firmware of Wavlink AC1200 (versions M32A3_V1410_230602 and M32A3_V1410_240222), a post-authentication command injection vulnerability was found during password reset. The issue resides in the "set_sys_adm" function of the "adm.cgi" binary due to improper sanitization of the "newpass" field.
Risk Assessment
An authenticated attacker can inject arbitrary system commands, leading to full device compromise and potential network security breach.
Recommendation
Immediately update the router firmware to the latest version available from the vendor. If no update is available, restrict administrative panel access to trusted IP addresses only.
Original NVD description (English source)
Wavlink AC1200 with firmware versions M32A3_V1410_230602 and M32A3_V1410_240222 are vulnerable to a post-authentication command injection while resetting the password. This vulnerability is specifically found within the "set_sys_adm" function of the "adm.cgi" binary, and is due to improper santization of the user provided "newpass" field

