OS Command Injection Vulnerability in TOTOLINK X5000r Product
CVE-2024-42742

8.8HIGH

Key Information:

Vendor: Totolink
Status: X5000r Firmware
Vendor: CVE Published:; 12 August 2024

What is CVE-2024-42742?

The TOTOLINK X5000r router is vulnerable due to an OS command injection flaw in the /cgi-bin/cstecgi.cgi component. Specifically, the issue arises within the setUrlFilterRules function, allowing authenticated attackers to exploit the vulnerability by crafting malicious packets. Successful exploitation can lead to the execution of arbitrary commands, posing significant risks to the device and potentially compromising its integrity and confidentiality.

References

https://github.com/HouseFuzz/reports/blob/main/totolink/x...

EPSS Score

12% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 12, 2024

Totolink

What is CVE-2024-42742?

References

EPSS Score

CVSS V3.1

Timeline