Command Injection Vulnerability in TOTOLINK LR350 Products
CVE-2024-7214

8.8HIGH

Key Information:

Vendor: Totolink
Status: Lr350
Vendor: CVE Published:; 30 July 2024

Badges

👾 Exploit Exists

What is CVE-2024-7214?

A severe command injection vulnerability has been identified in TOTOLINK's LR350 router, specifically in the 'setWanCfg' function of the '/cgi-bin/cstecgi.cgi' file. This flaw allows an attacker to manipulate the 'hostName' argument, potentially leading to unauthorized command execution on the affected device. Because this exploitation can be conducted remotely, it poses a significant security risk to users. It is crucial to note that the vulnerability has been publicly disclosed, and as of now, no response has been received from the vendor regarding any security patches or updates. Users of the affected version are strongly urged to take precautionary measures to protect their devices against potential attacks.

Affected Version(s)

LR350 9.3.5u.6369_B20220309

References

https://vuldb.com/?id.272785

vdb-entrytechnical-description

https://vuldb.com/?ctiid.272785

signaturepermissions-required

https://vuldb.com/?submit.378319

third-party-advisory

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Jul 30, 2024
Vulnerability published
Jul 30, 2024

Credit

yhryhryhr_miemie (VulDB User)

Totolink

Badges

What is CVE-2024-7214?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline

Credit