CVE-2024-57012

CVE-2024-57012, published on 2025-01-15, is an OS command injection vulnerability (CWE-78) affecting the TOTOLINK X5000R router firmware version V9.1.0cu.2350_B20230313. The issue resides in the setScheduleCfg function, where the "week" parameter fails to properly sanitize user input, allowing injection of arbitrary operating system commands. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). By crafting malicious input for the "week" parameter, an authenticated user can execute arbitrary OS commands on the device, achieving high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H). This could enable full router compromise, such as data exfiltration, persistent access, or disruption of network services.

Mitigation guidance and patch information can be found on the vendor's website at https://www.totolink.net/ and in the detailed disclosure at https://github.com/tiger5671/Vulnerabilities/blob/main/TOTOLINK%20X5000R/setScheduleCfg/setScheduleCfg.md. Security practitioners should verify firmware updates and apply input validation or access controls to the affected endpoint as interim measures.