Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-38896

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-24 Jun, 2024 | 00:00
Updated At-02 Aug, 2024 | 04:19
Rejected At-
Credits

WAVLINK WN551K1 found a command injection vulnerability through the start_hour parameter of /cgi-bin/nightled.cgi.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:24 Jun, 2024 | 00:00
Updated At:02 Aug, 2024 | 04:19
Rejected At:
▼CVE Numbering Authority (CNA)

WAVLINK WN551K1 found a command injection vulnerability through the start_hour parameter of /cgi-bin/nightled.cgi.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/s4ndw1ch136/IOT-vuln-reports/tree/main/Wavlink/WN551K1/nightled.cgi
N/A
Hyperlink: https://github.com/s4ndw1ch136/IOT-vuln-reports/tree/main/Wavlink/WN551K1/nightled.cgi
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
WAVLINK Technology Ltd.wavlink
Product
wn551k1_firmware
CPEs
  • cpe:2.3:o:wavlink:wn551k1_firmware:20210427:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 20210427
Problem Types
TypeCWE IDDescription
CWECWE-77CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Type: CWE
CWE ID: CWE-77
Description: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/s4ndw1ch136/IOT-vuln-reports/tree/main/Wavlink/WN551K1/nightled.cgi
x_transferred
Hyperlink: https://github.com/s4ndw1ch136/IOT-vuln-reports/tree/main/Wavlink/WN551K1/nightled.cgi
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:24 Jun, 2024 | 21:15
Updated At:06 Jun, 2025 | 17:13

WAVLINK WN551K1 found a command injection vulnerability through the start_hour parameter of /cgi-bin/nightled.cgi.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CPE Matches
WAVLINK Technology Ltd.
wavlink
>>wn551k1_firmware>>-
cpe:2.3:o:wavlink:wn551k1_firmware:-:*:*:*:*:*:*:*
WAVLINK Technology Ltd.
wavlink
>>wn551k1>>-
cpe:2.3:h:wavlink:wn551k1:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-77Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-77
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/s4ndw1ch136/IOT-vuln-reports/tree/main/Wavlink/WN551K1/nightled.cgicve@mitre.org
Exploit
Third Party Advisory
https://github.com/s4ndw1ch136/IOT-vuln-reports/tree/main/Wavlink/WN551K1/nightled.cgiaf854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
Hyperlink: https://github.com/s4ndw1ch136/IOT-vuln-reports/tree/main/Wavlink/WN551K1/nightled.cgi
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
Hyperlink: https://github.com/s4ndw1ch136/IOT-vuln-reports/tree/main/Wavlink/WN551K1/nightled.cgi
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

27Records found
CVE-2024-38894
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-1.55% / 80.68%
||
7 Day CHG~0.00%
Published-24 Jun, 2024 | 00:00
Updated-06 Jun, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WAVLINK WN551K1 found a command injection vulnerability through the IP parameter of /cgi-bin/touchlist_sync.cgi.

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-wn551k1_firmwarewn551k1n/awn551k1_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-34049
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-15.52% / 94.40%
||
7 Day CHG~0.00%
Published-20 Jul, 2022 | 16:50
Updated-03 Aug, 2024 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows unauthenticated attackers to download log files and configuration data.

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-wl-wn530hg4wl-wn530hg4_firmwaren/a
CWE ID-CWE-552
Files or Directories Accessible to External Parties
CVE-2024-38895
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.10% / 29.14%
||
7 Day CHG~0.00%
Published-24 Jun, 2024 | 00:00
Updated-06 Jun, 2025 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WAVLINK WN551K1'live_mfg.shtml enables attackers to obtain sensitive router information.

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-wn551k1_firmwarewn551k1n/awn551k1_firmware
CWE ID-CWE-202
Exposure of Sensitive Information Through Data Queries
CVE-2024-39773
Matching Score-8
Assigner-Talos
ShareView Details
Matching Score-8
Assigner-Talos
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.97%
||
7 Day CHG-0.00%
Published-14 Jan, 2025 | 14:21
Updated-22 Aug, 2025 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure vulnerability exists in the testsave.sh functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8wl-wn533a8_firmwareWavlink AC3000
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-38897
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 45.83%
||
7 Day CHG~0.00%
Published-24 Jun, 2024 | 00:00
Updated-06 Jun, 2025 | 17:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WAVLINK WN551K1'live_check.shtml enables attackers to obtain sensitive router information.

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-wn551k1_firmwarewn551k1n/awn551k1_firmware
CWE ID-CWE-202
Exposure of Sensitive Information Through Data Queries
CVE-2024-10193
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-5.28% / 89.62%
||
7 Day CHG~0.00%
Published-20 Oct, 2024 | 07:31
Updated-23 Oct, 2024 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WAVLINK WN530H4/WN530HG4/WN572HG3 internet.cgi ping_ddns command injection

A vulnerability was found in WAVLINK WN530H4, WN530HG4 and WN572HG3 up to 20221028 and classified as critical. This issue affects the function ping_ddns of the file internet.cgi. The manipulation of the argument DDNS leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wn530h4wn530h4_firmwarewn530hg4_firmwarewn530hg4wn572hg3_firmwarewn572hg3WN530H4WN572HG3WN530HG4wn530h4_firmwarewn530hg4_firmwarewn572hg3_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-10429
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-8.6||HIGH
EPSS-7.09% / 91.15%
||
7 Day CHG+3.08%
Published-27 Oct, 2024 | 21:00
Updated-13 Nov, 2024 | 17:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WAVLINK WN530H4/WN530HG4/WN572HG3 internet.cgi set_ipv6 command injection

A vulnerability classified as critical has been found in WAVLINK WN530H4, WN530HG4 and WN572HG3 up to 20221028. Affected is the function set_ipv6 of the file internet.cgi. The manipulation of the argument IPv6OpMode/IPv6IPAddr/IPv6WANIPAddr/IPv6GWAddr leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wn530h4wn530h4_firmwarewn530hg4_firmwarewn530hg4wn572hg3_firmwarewn572hg3WN530H4WN572HG3WN530HG4wn530h4_firmwarewn530hg4_firmwarewn572hg3_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-10428
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-8.6||HIGH
EPSS-7.09% / 91.15%
||
7 Day CHG+3.08%
Published-27 Oct, 2024 | 20:31
Updated-13 Nov, 2024 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WAVLINK WN530H4/WN530HG4/WN572HG3 firewall.cgi set_ipv6 command injection

A vulnerability was found in WAVLINK WN530H4, WN530HG4 and WN572HG3 up to 20221028. It has been rated as critical. This issue affects the function set_ipv6 of the file firewall.cgi. The manipulation of the argument dhcpGateway leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wn530h4wn530h4_firmwarewn530hg4_firmwarewn530hg4wn572hg3_firmwarewn572hg3WN530H4WN572HG3WN530HG4wn572hg3_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-44868
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.98% / 75.83%
||
7 Day CHG~0.00%
Published-02 May, 2025 | 00:00
Updated-13 Jun, 2025 | 13:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Wavlink WL-WN530H4 20220801 was found to contain a command injection vulnerability in the ping_test function of the adm.cgi via the pingIp parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-wl-wn530h4wl-wn530h4_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-38861
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.46% / 80.06%
||
7 Day CHG~0.00%
Published-15 Aug, 2023 | 00:00
Updated-09 Oct, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Wavlink WL_WNJ575A3 v.R75A3_V1410_220513 allows a remote attacker to execute arbitrary code via username parameter of the set_sys_adm function in adm.cgi.

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-wl-wn575a3_firmwarewl-wn575a3n/awl_wnj575a3
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-34592
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-18.51% / 94.99%
||
7 Day CHG~0.00%
Published-07 Jul, 2022 | 00:00
Updated-03 Aug, 2024 | 09:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Wavlink WL-WN575A3 RPT75A3.V4300.201217 was discovered to contain a command injection vulnerability via the function obtw. This vulnerability allows attackers to execute arbitrary commands via a crafted POST request.

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-wl-wn575a3_firmwarewl-wn575a3n/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2020-13117
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-92.07% / 99.70%
||
7 Day CHG~0.00%
Published-09 Feb, 2021 | 18:53
Updated-19 Aug, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Wavlink WN575A4, WN579X3, and WN530G3A devices through 2020-05-15 allow unauthenticated remote users to inject commands via the key parameter in a login request.

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-wn575a4_firmwarewn575a4wn579x3wn579x3_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-39765
Matching Score-6
Assigner-Talos
ShareView Details
Matching Score-6
Assigner-Talos
CVSS Score-9.1||CRITICAL
EPSS-0.45% / 62.75%
||
7 Day CHG+0.25%
Published-14 Jan, 2025 | 14:21
Updated-22 Aug, 2025 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists in the `custom_interface` POST parameter.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8wl-wn533a8_firmwareWavlink AC3000
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-39764
Matching Score-6
Assigner-Talos
ShareView Details
Matching Score-6
Assigner-Talos
CVSS Score-9.1||CRITICAL
EPSS-0.45% / 62.75%
||
7 Day CHG+0.25%
Published-14 Jan, 2025 | 14:21
Updated-22 Aug, 2025 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists in the `dest` POST parameter.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8wl-wn533a8_firmwareWavlink AC3000
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-39360
Matching Score-6
Assigner-Talos
ShareView Details
Matching Score-6
Assigner-Talos
CVSS Score-9.1||CRITICAL
EPSS-0.30% / 53.07%
||
7 Day CHG+0.01%
Published-14 Jan, 2025 | 14:20
Updated-21 Aug, 2025 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An os command injection vulnerability exists in the nas.cgi remove_dir() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8_firmwarewl-wn533a8Wavlink AC3000
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-34166
Matching Score-6
Assigner-Talos
ShareView Details
Matching Score-6
Assigner-Talos
CVSS Score-10||CRITICAL
EPSS-1.38% / 79.52%
||
7 Day CHG+0.02%
Published-14 Jan, 2025 | 14:21
Updated-21 Aug, 2025 | 18:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An os command injection vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted set of HTTP requests can lead to arbitrary code execution. An attacker can send an HTTP request to trigger this vulnerability.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8_firmwarewl-wn533a8Wavlink AC3000
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-39783
Matching Score-6
Assigner-Talos
ShareView Details
Matching Score-6
Assigner-Talos
CVSS Score-9.1||CRITICAL
EPSS-0.28% / 50.81%
||
7 Day CHG+0.02%
Published-14 Jan, 2025 | 14:21
Updated-22 Aug, 2025 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple OS command injection vulnerabilities exist in the adm.cgi sch_reboot() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to a arbitrary code execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists in the `restart_week` POST parameter.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8wl-wn533a8_firmwareWavlink AC3000
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-39763
Matching Score-6
Assigner-Talos
ShareView Details
Matching Score-6
Assigner-Talos
CVSS Score-9.1||CRITICAL
EPSS-0.45% / 62.75%
||
7 Day CHG+0.25%
Published-14 Jan, 2025 | 14:21
Updated-22 Aug, 2025 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists in the `gateway` POST parameter.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8wl-wn533a8_firmwareWavlink AC3000
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-39367
Matching Score-6
Assigner-Talos
ShareView Details
Matching Score-6
Assigner-Talos
CVSS Score-9.1||CRITICAL
EPSS-0.30% / 53.07%
||
7 Day CHG-0.37%
Published-14 Jan, 2025 | 14:21
Updated-21 Aug, 2025 | 17:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An os command injection vulnerability exists in the firewall.cgi iptablesWebsFilterRun() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8_firmwarewl-wn533a8Wavlink AC3000
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-39782
Matching Score-6
Assigner-Talos
ShareView Details
Matching Score-6
Assigner-Talos
CVSS Score-9.1||CRITICAL
EPSS-0.28% / 50.81%
||
7 Day CHG-0.20%
Published-14 Jan, 2025 | 14:21
Updated-22 Aug, 2025 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple OS command injection vulnerabilities exist in the adm.cgi sch_reboot() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to a arbitrary code execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists in the `restart_min` POST parameter.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8wl-wn533a8_firmwareWavlink AC3000
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-39761
Matching Score-6
Assigner-Talos
ShareView Details
Matching Score-6
Assigner-Talos
CVSS Score-10||CRITICAL
EPSS-0.58% / 67.81%
||
7 Day CHG-0.52%
Published-14 Jan, 2025 | 14:21
Updated-22 Aug, 2025 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists within the `restart_week_value` POST parameter.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8wl-wn533a8_firmwareWavlink AC3000
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-39781
Matching Score-6
Assigner-Talos
ShareView Details
Matching Score-6
Assigner-Talos
CVSS Score-9.1||CRITICAL
EPSS-0.28% / 50.81%
||
7 Day CHG+0.02%
Published-14 Jan, 2025 | 14:21
Updated-22 Aug, 2025 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple OS command injection vulnerabilities exist in the adm.cgi sch_reboot() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to a arbitrary code execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists in the `restart_hour` POST parameter.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8wl-wn533a8_firmwareWavlink AC3000
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-37186
Matching Score-6
Assigner-Talos
ShareView Details
Matching Score-6
Assigner-Talos
CVSS Score-9.1||CRITICAL
EPSS-0.30% / 53.07%
||
7 Day CHG-0.37%
Published-14 Jan, 2025 | 14:21
Updated-21 Aug, 2025 | 20:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An os command injection vulnerability exists in the adm.cgi set_ledonoff() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8_firmwarewl-wn533a8Wavlink AC3000
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-39759
Matching Score-6
Assigner-Talos
ShareView Details
Matching Score-6
Assigner-Talos
CVSS Score-10||CRITICAL
EPSS-0.58% / 67.81%
||
7 Day CHG-0.52%
Published-14 Jan, 2025 | 14:21
Updated-22 Aug, 2025 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists within the `restart_hour_value` POST parameter.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8wl-wn533a8_firmwareWavlink AC3000
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-39760
Matching Score-6
Assigner-Talos
ShareView Details
Matching Score-6
Assigner-Talos
CVSS Score-10||CRITICAL
EPSS-0.58% / 67.81%
||
7 Day CHG-0.52%
Published-14 Jan, 2025 | 14:21
Updated-22 Aug, 2025 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists within the `restart_min_value` POST parameter.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8wl-wn533a8_firmwareWavlink AC3000
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-39762
Matching Score-6
Assigner-Talos
ShareView Details
Matching Score-6
Assigner-Talos
CVSS Score-9.1||CRITICAL
EPSS-0.45% / 62.75%
||
7 Day CHG+0.25%
Published-14 Jan, 2025 | 14:21
Updated-22 Aug, 2025 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists in the `netmask` POST parameter.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8wl-wn533a8_firmwareWavlink AC3000
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2018-20523
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-6.19% / 90.48%
||
7 Day CHG-1.00%
Published-07 Jun, 2019 | 15:36
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injection. In other words, a third-party application can read the user's cleartext browser history via an app.provider.query content://com.android.browser.searchhistory/searchhistory request.

Action-Not Available
Vendor-n/aXiaomi
Product-redmi_6a_firmwareredmi_4a_firmwareredmi_note_5a_prime_firmwareredmi_note_7redmi_note_6_proredmi_s2redmi_4aredmi_5_plus_firmwareredmi_7aredmi_k20_pro_firmwareredmi_k20_firmwareredmi_s2_firmwareredmi_7redmi_note_5_proredmi_note_7_firmwareredmi_y3redmi_6_firmwareredmi_goredmi_note_4redmi_note_5_pro_firmwareredmi_6aredmi_note_4_firmwareredmi_note_5redmi_note_5a_primeredmi_k20_proredmi_note_7sstock_browserredmi_k20redmi_7_firmwareredmi_7a_firmwareredmi_note_5_firmwareredmi_5_plusredmi_y3_firmwareredmi_note_6_pro_firmwareredmi_note_7s_firmwareredmi_go_firmwareredmi_6n/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Details not found