CVE-2024-40085
CriticalCVSS 9.6Exploitation Probability (EPSS)
Low risk44th percentile - higher than 44% of all known CVEs
Summary
A buffer overflow vulnerability in the local_app_set_router_wan function of Vilo 5 Mesh WiFi System versions up to 5.16.1.33 allows remote, unauthenticated attackers to execute arbitrary code by sending pppoe_username and pppoe_password fields longer than 128 bytes.
Risk Assessment
An attacker can remotely take control of the mesh WiFi device, leading to network integrity compromise, traffic interception, or further attacks on other devices in the network.
Recommendation
Immediately update the firmware of the Vilo 5 Mesh WiFi System to a version newer than 5.16.1.33 that includes a fix for this vulnerability.
Original NVD description (English source)
A Buffer Overflow vulnerability in the local_app_set_router_wan function of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to execute arbitrary code via pppoe_username and pppoe_password fields being larger than 128 bytes in length.

