CVE-2024-57013

CVE-2024-57013 is an OS command injection vulnerability (CWE-78) affecting the TOTOLINK X5000R router running firmware version V9.1.0cu.2350_B20230313. The flaw exists in the setScheduleCfg function, where the "switch" parameter fails to properly sanitize user input, allowing arbitrary command execution on the underlying operating system. The vulnerability received a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An attacker with low-privilege network access, such as an authenticated user, can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting a malicious request to the vulnerable setScheduleCfg endpoint with injected commands in the "switch" parameter, the attacker can achieve high-impact outcomes, including unauthorized access to sensitive data (C:H), modification of system configurations or files (I:H), and disruption of router services (A:H), potentially leading to full device compromise.

Details on exploitation and analysis are documented in the GitHub advisory at https://github.com/tiger5671/Vulnerabilities/blob/main/TOTOLINK%20X5000R/setScheduleCfg/setScheduleCfg.md, while the vendor's website at https://www.totolink.net/ provides general support resources that may include relevant firmware updates or mitigation guidance.