CVE-2025-39782: 
Linux Kernel vulnerability analysis and mitigation

A command injection vulnerability exists in the adm.cgi schreboot() functionality of Wavlink AC3000 M33A8.V5030.210505, tracked as CVE-2024-39782. The vulnerability was discovered by Lilith of Cisco Talos and publicly disclosed on January 14, 2025. The vulnerability affects the restartmin POST parameter in the device's web interface (Talos).

The vulnerability exists in the schreboot function where the restartmin parameter from POST requests is not properly sanitized before being used in command execution. The function combines the user-provided parameters into a buffer that resembles a crontab item, which is then written to the SCHReboot nvram item and eventually added to the system's crontab. The vulnerability has received a CVSS v3.1 base score of 9.1 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command) ([Talos](https://talosintelligence.com/vulnerabilityreports/TALOS-2024-2033), NVD).

A successful exploitation of this vulnerability could lead to arbitrary code execution on the affected device. An attacker can make an authenticated HTTP request to trigger this vulnerability, potentially gaining complete control over the device (Talos).

The vendor was contacted on July 25, 2024, and confirmed that while the product has been discontinued, patches were being worked on. As of the public disclosure date (January 14, 2025), no official patches have been released (Talos).