Command Injection Vulnerability in TOTOLINK LR1200
CVE-2024-7215

8.8HIGH

Key Information:

Vendor: TOTOLINK
Status: Lr1200 Firmware
Vendor: CVE Published:; 30 July 2024

Summary

A serious command injection vulnerability exists within the TOTOLINK LR1200 model running version 9.3.1cu.2832, specifically in the NTPSyncWithHost function of the cgi-bin/cstecgi.cgi file. The vulnerability arises from improper handling of user-supplied input, allowing malicious actors to execute arbitrary commands on the device. This exploitation can be performed remotely, posing a significant security risk. The vendor has been notified of this issue but has not responded to the report. Users are strongly advised to apply any available updates or mitigate the risk until a patch is released.

References

https://vuldb.com/?id.272786

https://vuldb.com/?ctiid.272786

https://vuldb.com/?submit.378330

EPSS Score

11% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 30, 2024