Command Injection Vulnerability in TOTOLINK A3100R HTTP POST Request Handler
CVE-2024-7158

8.8HIGH

Key Information:

Vendor: Totolink
Status: A3100r
Vendor: CVE Published:; 28 July 2024

Badges

👾 Exploit Exists

What is CVE-2024-7158?

A command injection vulnerability has been identified in the TOTOLINK A3100R router, specifically within the HTTP POST Request Handler, in the function setTelnetCfg located in the /cgi-bin/cstecgi.cgi file. An attacker can exploit this vulnerability by sending a specially crafted request that manipulates the telnet_enabled parameter. This vulnerability allows for remote command execution, potentially compromising the security of the device. The vendor has been made aware of this issue, but there has been no response regarding remediation, leaving users at risk. It is crucial for users to implement safeguards and monitor network activity to mitigate potential attacks.

Affected Version(s)

A3100R 4.1.2cu.5050_B20200504

References

https://vuldb.com/?id.272572

vdb-entrytechnical-description

https://vuldb.com/?ctiid.272572

signaturepermissions-required

https://vuldb.com/?submit.377543

third-party-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Jul 28, 2024
Vulnerability published
Jul 28, 2024
Vulnerability Reserved
Jul 27, 2024

Credit

yhryhryhr_tu (VulDB User)

JSON

Totolink

Badges

What is CVE-2024-7158?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit