CVE-2025-39790: 
Linux Kernel vulnerability analysis and mitigation

A configuration injection vulnerability (CVE-2024-39790) exists in the nas.cgi setftpcfg() functionality of Wavlink AC3000 M33A8.V5030.210505. The vulnerability was discovered by Lilith of Cisco Talos and publicly disclosed on January 14, 2025. The vulnerability specifically affects the ftp_max_sessions POST parameter and allows authenticated users to bypass permissions through specially crafted HTTP requests (Talos, NVD).

The vulnerability exists in the FTP configuration functionality of the Wavlink AC3000 router. When processing the ftp_max_sessions parameter, the system fails to properly validate input, allowing for configuration injection into the /etc/proftpd.conf file. The vulnerability has received a CVSS v3.1 base score of 9.1 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) from Talos, while NVD assessed it at 7.2 HIGH (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified as CWE-15 (External Control of System or Configuration Setting) (Talos).

The vulnerability allows an authenticated attacker to inject configuration settings into the proftpd configuration file. This can lead to directory traversal to any directory accessible to the login user, potentially resulting in gaining shell access to the system. The impact is particularly severe as it affects the entire filesystem instead of being confined to the expected /media/ folder (Talos).

While the product has been discontinued, the vendor indicated that patches were being worked on as of October 22, 2024. No specific mitigation strategies or workarounds have been publicly released (Talos).