OS Command Injection Vulnerability in TOTOLINK X5000r Router
CVE-2024-42747

8.8HIGH

Key Information:

Vendor: Totolink
Status: X5000r Firmware
Vendor: CVE Published:; 12 August 2024

What is CVE-2024-42747?

The TOTOLINK X5000r Router, specifically version v9.1.0cu.2350_b20230313, is subject to an OS command injection vulnerability located in the /cgi-bin/cstecgi.cgi file, more specifically within the setWanIeCfg function. This flaw enables authenticated attackers to craft and send malicious packets that can lead to the execution of arbitrary commands on the affected device. Such exploitation could compromise the integrity and confidentiality of the router, potentially allowing unauthorized access and control over network configurations.

References

https://github.com/HouseFuzz/reports/blob/main/totolink/x...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 12, 2024

Totolink

What is CVE-2024-42747?

References

CVSS V3.1

Timeline