CVE-2024-57019

CVE-2024-57019 is an OS command injection vulnerability affecting the TOTOLINK X5000R router firmware version V9.1.0cu.2350_B20230313. The issue resides in the setVpnAccountCfg function, where the "limit" parameter fails to properly sanitize user input, allowing injection of arbitrary operating system commands. This flaw is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation.

An attacker requires low privileges, such as those of an authenticated user on the device, to exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation involves crafting a malicious request to the vulnerable endpoint, enabling arbitrary OS command execution. This grants high-impact privileges, compromising confidentiality through data exfiltration, integrity via unauthorized modifications, and availability by disrupting device operations, potentially leading to full router takeover.

Advisories reference a GitHub repository detailing the vulnerability, including likely proof-of-concept information at https://github.com/tiger5671/Vulnerabilities/blob/main/TOTOLINK%20X5000R/setVpnAccountCfg/setVpnAccountCfg.md, and the official TOTOLINK website at https://www.totolink.net/, where users should check for firmware updates or mitigation guidance. No specific patch details are provided in the CVE data.