CVE-2024-57018

Name of the Vulnerable Software and Affected Versions TOTOLINK X5000R version V9.1.0cu.2350 B20230313

Description The issue is related to the setVpnAccountCfg() function, specifically the /web/cgi-bin/cstecgi.cgi endpoint, where the desc parameter is not properly sanitized, allowing an attacker to inject operating system commands. This could enable a remote attacker to execute arbitrary commands. The vulnerability is associated with the TOTOLINK X5000R router's firmware.

Recommendations For TOTOLINK X5000R version V9.1.0cu.2350 B20230313, as a temporary workaround, consider disabling the setVpnAccountCfg() function until a patch is available. Restrict access to the /web/cgi-bin/cstecgi.cgi endpoint to minimize the risk of exploitation. Avoid using the desc parameter in the setVpnAccountCfg() function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.