CVE-2024-57016

CVE-2024-57016, published on 2025-01-15, is an OS command injection vulnerability (CWE-78) affecting the TOTOLINK X5000R router on firmware version V9.1.0cu.2350_B20230313. The issue resides in the setVpnAccountCfg function, where the "user" parameter fails to properly sanitize input, enabling attackers to inject and execute arbitrary operating system commands.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility with low attack complexity. Exploitation requires low privileges, such as those of an authenticated user, and no user interaction. Attackers can achieve high impacts across confidentiality, integrity, and availability, potentially resulting in full router compromise through remote code execution.

For mitigation details, refer to the vulnerability disclosure at https://github.com/tiger5671/Vulnerabilities/blob/main/TOTOLINK%20X5000R/setVpnAccountCfg/setVpnAccountCfg.md and the vendor's website at https://www.totolink.net/, which may provide patches, firmware updates, or workarounds.