CVE-2025-39784: 
Linux Kernel vulnerability analysis and mitigation

Multiple command execution vulnerabilities exist in the nas.cgi adddir() functionality of Wavlink AC3000 M33A8.V5030.210505, identified as CVE-2024-39784. The vulnerability was discovered by Lilith of Cisco Talos and publicly disclosed on January 14, 2025. This vulnerability affects the Wavlink AC3000 router, which is one of the most popular gigabit routers in the US, particularly due to its potential wireless and wired speed capabilities and low price point ([Talos](https://talosintelligence.com/vulnerabilityreports/TALOS-2024-2058)).

The vulnerability exists in the nas.cgi adddir() functionality where a command injection vulnerability is present in the diskpart POST parameter. When processing HTTP requests, the router's lighttpd server configuration allows .cgi binaries to be invoked from the web root. While authentication is required through the checkvaliduser() function, an authenticated attacker can execute arbitrary shell commands on the system by providing a subshell command inside the diskpart POST parameter. The vulnerability has received a CVSS v3.1 base score of 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) ([Talos](https://talosintelligence.com/vulnerabilityreports/TALOS-2024-2058), NVD).

A successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary commands on the affected system, potentially leading to complete system compromise with high impacts on confidentiality, integrity, and availability of the device (Talos).

The vendor was contacted on July 25, 2024, and confirmed that while the product has been discontinued, patches were being worked on. However, as of the public disclosure date (January 14, 2025), no specific patches or mitigations have been released (Talos).