CVE-2024-57018

CVE-2024-57018 is an OS command injection vulnerability (CWE-78) affecting the TOTOLINK X5000R router running firmware version V9.1.0cu.2350_B20230313. The flaw exists in the setVpnAccountCfg function, where the "desc" parameter fails to properly sanitize user input, allowing injection of arbitrary operating system commands. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and potential for significant impact on confidentiality, integrity, and availability.

A remote attacker with low privileges, such as an authenticated user on the device, can exploit this vulnerability over the network without user interaction. By crafting a malicious request to the vulnerable endpoint with injected commands in the "desc" parameter, the attacker can execute arbitrary OS commands on the underlying system. Successful exploitation enables full control over the router, including data exfiltration, modification of configurations, service disruption, or use as a pivot for further network attacks.

For mitigation details, refer to the vulnerability advisory at https://github.com/tiger5671/Vulnerabilities/blob/main/TOTOLINK%20X5000R/setVpnAccountCfg/setVpnAccountCfg.md and the vendor's security page at https://www.totolink.net/. Practitioners should check these resources for patches, workarounds, or firmware updates addressing this issue.