CVE-2019-19824

Name of the Vulnerable Software and Affected Versions TOTOLINK A3002RU versions 2.0.0 and earlier TOTOLINK A702R versions 2.1.3 and earlier TOTOLINK N301RT versions 2.1.6 and earlier TOTOLINK N302R versions 3.4.0 and earlier TOTOLINK N300RT versions 3.4.0 and earlier TOTOLINK N200RE versions 4.0.0 and earlier TOTOLINK N150RT versions 3.4.0 and earlier TOTOLINK N100RE versions 3.4.0 and earlier TOTOLINK N302RE version 2.0.2

Description An authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the "boafrm/formSysCmd" URI. This allows for full control over the device's internals.

Recommendations For TOTOLINK A3002RU versions 2.0.0 and earlier, consider disabling access to the "boafrm/formSysCmd" URI until a patch is available. For TOTOLINK A702R versions 2.1.3 and earlier, restrict the use of the sysCmd parameter in the "boafrm/formSysCmd" URI to minimize the risk of exploitation. For TOTOLINK N301RT versions 2.1.6 and earlier, avoid using the sysCmd parameter in the affected API endpoint until the issue is resolved. For TOTOLINK N302R versions 3.4.0 and earlier, temporarily disable the sysCmd functionality to prevent exploitation. For TOTOLINK N300RT versions 3.4.0 and earlier, restrict access to the vulnerable module to minimize the risk of exploitation. For TOTOLINK N200RE versions 4.0.0 and earlier, consider disabling the sysCmd parameter in the "boafrm/formSysCmd" URI as a temporary workaround. For TOTOLINK N150RT versions 3.4.0 and earlier, avoid using the vulnerable API endpoint until a patch is available. For TOTOLINK N100RE versions 3.4.0 and earlier, restrict the use of the sysCmd parameter to prevent exploitation. For TOTOLINK N302RE version 2.0.2, consider disabling access to the "boafrm/formSysCmd" URI until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.