CVE-2024-57020

CVE-2024-57020 is an OS command injection vulnerability (CWE-78) affecting the TOTOLINK X5000R router running firmware version V9.1.0cu.2350_B20230313. The flaw exists in the setWiFiScheduleCfg function, where the "sMinute" parameter fails to properly sanitize user input, allowing arbitrary command execution on the underlying operating system. This issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and potential for significant impact.

A remote attacker with low privileges, such as an authenticated user on the network, can exploit this vulnerability by sending a crafted request to the vulnerable endpoint. No user interaction is required, and the low attack complexity enables straightforward exploitation over the network. Successful exploitation grants the attacker high-level impacts on confidentiality, integrity, and availability, potentially allowing full compromise of the device, including execution of arbitrary commands, data exfiltration, or further lateral movement within the network.

Details on the vulnerability, including proof-of-concept exploitation steps, are documented in a GitHub repository at https://github.com/tiger5671/Vulnerabilities/blob/main/TOTOLINK%20X5000R/setWiFiScheduleCfg/setWiFiScheduleCfg.md. The vendor's website at https://www.totolink.net/ serves as the primary source for official advisories, though no specific patch or mitigation details are outlined in available references at this time. Security practitioners should monitor for firmware updates and apply network segmentation to limit exposure.