CVE-2024-0296
Published: 08 January 2024
Summary
CVE-2024-0296 is a high-severity OS Command Injection (CWE-78) vulnerability in Totolink N200Re Firmware. Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 15.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A vulnerability classified as critical has been identified in the Totolink N200RE router running firmware version 9.3.5u.6139_B20201216. It resides in the NTPSyncWithHost function within the /cgi-bin/cstecgi.cgi file, where improper handling of the host_time argument enables OS command injection, corresponding to CWE-78. The issue received a CVSS v3.1 score of 7.3 and can be triggered over the network without authentication.
Remote attackers can exploit the flaw by sending crafted requests that manipulate the host_time parameter, resulting in execution of arbitrary operating system commands on the device with impacts to confidentiality, integrity, and availability. A public proof-of-concept has been released, and the vendor was notified prior to disclosure but provided no response.
No official patches or mitigation guidance appear in the referenced advisories. The EPSS score rose from lower values to a peak of 0.0656 on 2025-01-22 before receding to the current 0.0207, indicating a period of increased exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-16092
Vulnerability details
A vulnerability has been found in Totolink N200RE 9.3.5u.6139_B20201216 and classified as critical. This vulnerability affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument host_time leads to os command injection. The attack can be initiated remotely.…
more
The exploit has been disclosed to the public and may be used. VDB-249862 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.