CVE-2025-39789: 
Linux Debian vulnerability analysis and mitigation

Multiple external config control vulnerabilities exist in the nas.cgi setftpcfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. The vulnerability was discovered by Lilith of Cisco Talos and was disclosed on January 14, 2025. The affected system is the Wavlink AC3000 router running firmware version M33A8.V5030.210505 (Talos).

The vulnerability specifically exists within the ftp_port POST parameter of the nas.cgi setftpcfg() functionality. The issue stems from insufficient newline filtering on input parameters, allowing direct injection of proftpd configuration into /etc/proftpd.conf. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and is classified under CWE-15 (External Control of System or Configuration Setting) (Talos).

The vulnerability allows an authenticated attacker to inject configuration settings that can lead to directory traversal to any directory accessible to the login user. This can potentially result in gaining shell access to the system. The vulnerability affects the entire filesystem instead of being restricted to the expected /media/ folder in the default configuration (Talos).

As of January 14, 2025, the vendor has acknowledged that while the product has been discontinued, patches are being worked on. No specific mitigation steps have been provided yet (Talos).