Cyber Resilience

CVE-2024-28640

High

Published: 16 March 2024

Published
16 March 2024
Modified
27 June 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.1705 95.1th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-28640 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Totolink X5000R Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 4.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-28640 is a buffer overflow vulnerability, tracked under CWE-125 as an out-of-bounds read, that affects the TOTOLINK X5000R router running firmware V9.1.0u.6118-B20201102 and the A7000R router running V9.1.0u.6115-B20201022. The flaw resides in handling of the command field and carries a CVSS 3.1 base score of 7.5, reflecting network-accessible exploitation with no required credentials or user interaction that results in high impact to availability.

An unauthenticated remote attacker can send a crafted command value to the affected devices, triggering the overflow and causing a denial-of-service condition that disrupts router operation. No authentication or local access is needed, allowing exploitation from anywhere on the network path to the device’s management interface.

Public references point to GitHub repositories documenting the TOTOLINK issues, but they contain no vendor advisory, firmware patch, or mitigation guidance. The EPSS score currently stands at 0.1705 with a recorded peak of 0.1742, indicating moderate and relatively stable exploitation interest since disclosure.

EU & UK References

Vulnerability details

Buffer Overflow vulnerability in TOTOLink X5000R V9.1.0u.6118-B20201102 and A7000R V9.1.0u.6115-B20201022 allows a remote attacker to cause a denial of service (D0S) via the command field.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
x5000r firmware
9.1.0u.6118_b20201102
totolink
a7000r firmware
9.1.0u.6115_b20201022

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References