CVE-2024-24329
Published: 30 January 2024
Summary
CVE-2024-24329 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TOTOLINK A3300R routers running firmware version V17.0.0cu.557_B20221024 contain a command injection vulnerability in the setPortForwardRules function, where the enable parameter is passed to the system without proper sanitization. The flaw is tracked as CVE-2024-24329 and is classified under CWE-78, carrying a CVSS 3.1 score of 9.8 that reflects network-accessible exploitation without authentication or user interaction.
An unauthenticated attacker with network access can supply a crafted enable value to execute arbitrary operating-system commands on the device. Successful exploitation grants full control over the router, allowing an adversary to read or modify configuration data, intercept traffic, or pivot into the attached network.
Public proof-of-concept code has been posted to GitHub detailing the injection vector. The associated EPSS score currently stands at 0.8329 with an identical peak value, indicating sustained exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-21751
Vulnerability details
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setPortForwardRules function.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability in the router's web management interface (setPortForwardRules function via enable parameter) enables exploitation of a public-facing application (T1190) and facilitates arbitrary remote command execution on the underlying Unix shell (T1059.004).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.