CVE-2024-57021

CVE-2024-57021, published on 2025-01-15, is an OS command injection vulnerability (CWE-78) affecting the TOTOLINK X5000R router on firmware version V9.1.0cu.2350_B20230313. The issue resides in the setWiFiScheduleCfg function, where the "eHour" parameter fails to properly sanitize user input, enabling attackers to inject and execute arbitrary operating system commands.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility with low attack complexity. Exploitation requires low privileges, such as those of an authenticated user, and no user interaction. Attackers can achieve high impacts on confidentiality, integrity, and availability, potentially resulting in full router compromise through remote code execution.

Mitigation guidance can be found in the referenced advisory at https://github.com/tiger5671/Vulnerabilities/blob/main/TOTOLINK%20X5000R/setWiFiScheduleCfg/setWiFiScheduleCfg.md and on the vendor's site at https://www.totolink.net/.