CVE-2024-57017

CVE-2024-57017 is an OS command injection vulnerability (CWE-78) affecting the TOTOLINK X5000R router on firmware version V9.1.0cu.2350_B20230313. The issue resides in the "pass" parameter of the setVpnAccountCfg function, where insufficient input validation allows attackers to inject and execute arbitrary operating system commands.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low attack complexity and no user interaction required. A low-privileged authenticated user (PR:L) can leverage this flaw to execute arbitrary OS commands on the device, resulting in high impacts to confidentiality, integrity, and availability, such as full system compromise.

Mitigation guidance and further details are available in the referenced advisories, including the vendor site at https://www.totolink.net/ and a vulnerability analysis with proof-of-concept at https://github.com/tiger5671/Vulnerabilities/blob/main/TOTOLINK%20X5000R/setVpnAccountCfg/setVpnAccountCfg.md.