CVE-2024-2353

Name of the Vulnerable Software and Affected Versions Totolink X6000R version 9.4.0cu.852 20230719

Description A critical issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component shttpd. The manipulation of the argument ip leads to os command injection. The attack may be initiated remotely.

Recommendations As a temporary workaround, consider disabling the setDiagnosisCfg function until a patch is available. Restrict access to the /cgi-bin/cstecgi.cgi file to minimize the risk of exploitation. Avoid using the ip argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.