PT-2024-19470 · Totolink · Totolink X2000R V2

Published

2024-01-25

Updated

2024-01-31

CVE-2024-22529

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions TOTOLINK X2000R V2 version V2.0.0-B20230727.10434

Description The issue is a command injection vulnerability in the sub 449040, which is the handle function of formUploadFile, located in /bin/boa. This vulnerability can be exploited through the "formUploadFile" functionality.

Recommendations For TOTOLINK X2000R V2 version V2.0.0-B20230727.10434, as a temporary workaround, consider disabling the sub 449040 function until a patch is available. Restrict access to the /bin/boa module to minimize the risk of exploitation. Avoid using the formUploadFile functionality in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2024-22529

Affected Products

Totolink X2000R V2

PT-2024-19470 · Totolink · Totolink X2000R V2

CVE-2024-22529

Weakness Enumeration

Related Identifiers

Affected Products

References · 6