CVE-2024-41317

Name of the Vulnerable Software and Affected Versions: TOTOLINK A6000R version 1.0.1-B20201211.2000

Description: The issue is related to a command injection vulnerability in the apcli do enr pbc wps function. This vulnerability is associated with the failure to neutralize special elements used in the operating system command. The exploitation of this issue may allow a remote attacker to execute arbitrary code by sending a specially crafted command. The ifname parameter is specifically mentioned as the vulnerable parameter in this context.

Recommendations: For TOTOLINK A6000R version 1.0.1-B20201211.2000, as a temporary workaround, consider disabling the apcli do enr pbc wps function until a patch is available. Restrict access to the vulnerable ifname parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.