Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists within the `restart_min_value` POST parameter.
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2018
https://talosintelligence.com/vulnerability_reports/TALOS-2024-2018