CVE-2024-57017

Name of the Vulnerable Software and Affected Versions TOTOLINK X5000R version V9.1.0cu.2350 B20230313

Description The issue is related to the setVpnAccountCfg() function in the TOTOLINK X5000R router's firmware, specifically with the pass parameter. It allows an attacker to inject operating system commands, potentially enabling them to execute arbitrary commands remotely. The vulnerability is due to the lack of proper sanitization of special elements used in the operating system command when processing the pass parameter.

Recommendations For TOTOLINK X5000R version V9.1.0cu.2350 B20230313, as a temporary workaround, consider disabling the setVpnAccountCfg() function until a patch is available. Restrict access to the web/cgi-bin/cstecgi.cgi endpoint to minimize the risk of exploitation. Avoid using the pass parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.