CVE-2024-57590

Critical

Published: 27 January 2025

Published

27 January 2025

Modified

29 May 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0076 73.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

TRENDnet TEW-632BRP v1.010B31 devices have an OS command injection vulnerability in the CGl interface "ntp_sync.cgi",which allows remote attackers to execute arbitrary commands via parameter "ntp_server" passed to the "ntp_sync.cgi" binary through a POST request.

Security Summary

CVE-2024-57590 is an OS command injection vulnerability (CWE-77) in TRENDnet TEW-632BRP v1.010B31 devices. The flaw exists in the CGI interface "ntp_sync.cgi", where the "ntp_server" parameter passed via POST requests to the ntp_sync.cgi binary is susceptible to injection, enabling remote attackers to execute arbitrary operating system commands.

Attackers require no privileges (PR:N) and can exploit this remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), earning a CVSS v3.1 base score of 9.8 (Critical). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing full device compromise, such as persistent access, data exfiltration, or further network pivoting from the affected router.

Details on mitigation, including any patches or workarounds, are documented in the advisory at https://github.com/IdaJea/IOT_vuln_1/blob/master/tew632/ntp_sync.md.

Details

CWE(s): CWE-77

Affected Products

trendnet

tew-632brp firmware

1.010b31

References

https://github.com/IdaJea/IOT_vuln_1/blob/master/tew632/ntp_sync.md
Broken Link · cve@mitre.org