CVE-2024-0297
Published: 08 January 2024
Summary
CVE-2024-0297 is a high-severity OS Command Injection (CWE-78) vulnerability in Totolink N200Re Firmware. Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 23.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-0297 is an OS command injection vulnerability affecting the Totolink N200RE router running firmware version 9.3.5u.6139_B20201216. It exists in the UploadFirmwareFile function within /cgi-bin/cstecgi.cgi, where unsanitized input to the FileName argument permits execution of arbitrary operating system commands, corresponding to CWE-78 and carrying a CVSS 3.1 base score of 7.3.
An unauthenticated attacker can exploit the issue remotely by submitting a crafted HTTP request to the device's web management interface, achieving limited control over confidentiality, integrity, and availability without requiring user interaction.
The vendor was notified prior to disclosure but provided no response or patch. Public exploit details have been released through repositories such as GitHub.
The associated EPSS score rose materially from a low starting value to a peak of 0.0656 on 2025-01-22 before receding, indicating a period of heightened exploitation interest after the vulnerability became public.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-16093
Vulnerability details
A vulnerability was found in Totolink N200RE 9.3.5u.6139_B20201216 and classified as critical. This issue affects the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument FileName leads to os command injection. The attack may be initiated remotely. The…
more
exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249863. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.