CVE-2024-57036
Published: 21 January 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2024-57036 is a command insertion vulnerability (CWE-77) in the TOTOLINK A810R router firmware version V4.1.2cu.5032_B20200407. The issue exists in the main function of the downloadFile.cgi script, which allows an attacker to execute arbitrary commands by sending a specially crafted HTTP request. Published on 2025-01-21, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its network accessibility and potential for significant impact.
A remote attacker with low privileges (PR:L), such as an authenticated user, can exploit the vulnerability over the network with low attack complexity and no user interaction. By sending a malicious HTTP request to downloadFile.cgi, the attacker achieves arbitrary command execution on the device, resulting in high impacts to confidentiality and integrity, while availability remains unaffected.
The primary reference for this vulnerability is available at https://github.com/luckysmallbird/Totolink-A810R-Vulnerability-1/blob/main/3.md, which provides additional details relevant to practitioners.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command insertion in downloadFile.cgi enables exploitation of public-facing web application (T1190) for arbitrary Unix shell command execution (T1059.004) on the router.