CVE-2024-57015

CVE-2024-57015 is an OS command injection vulnerability (CWE-78) affecting the TOTOLINK X5000R router firmware version V9.1.0cu.2350_B20230313. The issue resides in the setScheduleCfg function, where the "hour" parameter fails to properly sanitize user input, enabling attackers to inject and execute arbitrary operating system commands.

The vulnerability carries a CVSS v3.1 base score of 8.8 (High), with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It can be exploited remotely over the network by low-privileged authenticated users without requiring user interaction. Successful exploitation allows attackers to achieve high impacts across confidentiality, integrity, and availability, potentially leading to full device compromise through arbitrary command execution.

Advisories and mitigation details can be found in the vendor's security resources at https://www.totolink.net/ and the detailed vulnerability report at https://github.com/tiger5671/Vulnerabilities/blob/main/TOTOLINK%20X5000R/setScheduleCfg/setScheduleCfg.md, published on 2025-01-15.