CVE Catalog

CVE-2024-40085

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.60%

44th percentile - higher than 44% of all known CVEs

Summary

A buffer overflow vulnerability in the local_app_set_router_wan function of Vilo 5 Mesh WiFi System versions up to 5.16.1.33 allows remote, unauthenticated attackers to execute arbitrary code by sending pppoe_username and pppoe_password fields longer than 128 bytes.

Risk Assessment

An attacker can remotely take control of the mesh WiFi device, leading to network integrity compromise, traffic interception, or further attacks on other devices in the network.

Recommendation

Immediately update the firmware of the Vilo 5 Mesh WiFi System to a version newer than 5.16.1.33 that includes a fix for this vulnerability.

Original NVD description (English source)

A Buffer Overflow vulnerability in the local_app_set_router_wan function of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to execute arbitrary code via pppoe_username and pppoe_password fields being larger than 128 bytes in length.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS