CVE-2024-57011

CVE-2024-57011, published on 2025-01-15, is an OS command injection vulnerability (CWE-78) affecting the TOTOLINK X5000R router firmware version V9.1.0cu.2350_B20230313. The issue resides in the setScheduleCfg function, where the "minute" parameters fail to properly sanitize user input, enabling attackers to inject and execute arbitrary operating system commands.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility with low attack complexity. Exploitation requires low privileges, such as those of an authenticated user, and no user interaction. Attackers can achieve high impacts on confidentiality, integrity, and availability, potentially resulting in full router compromise, including data theft, configuration changes, or denial of service.

Mitigation details can be found in the referenced advisories, including the vendor site at https://www.totolink.net/ and the vulnerability disclosure at https://github.com/tiger5671/Vulnerabilities/blob/main/TOTOLINK%20X5000R/setScheduleCfg/setScheduleCfg.md. Security practitioners should check these sources for patches or workarounds specific to the affected firmware.