CVE-2024-7215

Name of the Vulnerable Software and Affected Versions TOTOLINK LR1200 version 9.3.1cu.2832

Description A critical issue was found in the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument host time leads to command injection. The attack may be launched remotely. The issue has been publicly disclosed.

Recommendations For TOTOLINK LR1200 version 9.3.1cu.2832, as a temporary workaround, consider disabling the NTPSyncWithHost function until a patch is available. Restrict access to the /cgi-bin/cstecgi.cgi file to minimize the risk of exploitation. Avoid using the host time argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.