CVE-2024-57036

Name of the Vulnerable Software and Affected Versions TOTOLINK A810R version 4.1.2cu.5032 B20200407

Description A command insertion vulnerability was discovered in the downloadFile.cgi main function. This issue allows an attacker to execute arbitrary commands by sending a specially crafted HTTP request. The vulnerability is related to the failure to neutralize special elements, such as operating system commands.

Recommendations For TOTOLINK A810R version 4.1.2cu.5032 B20200407, consider disabling the downloadFile.cgi function until a patch is available to prevent exploitation. Restrict access to the downloadFile.cgi endpoint to minimize the risk of arbitrary command execution. Avoid using the vulnerable function to download files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.