CVE-2025-39763: 
Linux Kernel vulnerability analysis and mitigation

A command injection vulnerability exists in the internet.cgi setaddrouting() functionality of Wavlink AC3000 M33A8.V5030.210505. The vulnerability, identified as CVE-2025-39763, was discovered by Lilith >> of Cisco Talos and publicly disclosed on January 14, 2025. A specially crafted HTTP request can lead to arbitrary command execution through the gateway POST parameter when an authenticated user makes a request ([Talos](https://talosintelligence.com/vulnerabilityreports/TALOS-2024-2020)).

The vulnerability exists in the gateway parameter processing of the setaddrouting function within the internet.cgi binary. When processing HTTP POST requests, the gateway parameter input is copied into a stack buffer (buff0x1001) as part of a command that is then executed using popen. Due to the lack of input validation, attackers can inject arbitrary system commands that will be executed with the privileges of the web server process. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (Talos).

Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary commands on the affected system with the privileges of the web server process. This could lead to complete system compromise, including the ability to modify system configurations, access sensitive information, or use the device as a foothold for further network attacks (Talos).

The vendor was contacted on July 25, 2024, and confirmed receipt on July 30, 2024. On October 22, 2024, the vendor replied that while the product has been discontinued, patches were being worked on. As of the public disclosure date (January 14, 2025), no official patches have been released (Talos).