CVE-2024-57015
Published: 15 January 2025
Summary
CVE-2024-57015 is a high-severity OS Command Injection (CWE-78) vulnerability in Totolink X5000R Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2024-57015 is an OS command injection flaw (CWE-78) in the TOTOLINK X5000R router running firmware V9.1.0cu.2350_B20230313. It is reachable via the hour parameter of the setScheduleCfg function and carries a CVSS 3.1 score of 8.8.
An authenticated attacker with network access can supply crafted input to the affected parameter and execute arbitrary operating-system commands, resulting in high impact to confidentiality, integrity, and availability without requiring user interaction.
The associated EPSS score rose from a low baseline to a peak of 0.0695 on 2025-12-11 before receding to its current value of 0.0338. Public references consist of a technical write-up containing proof-of-concept details and the vendor site; neither source provides patch or mitigation information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53488
Vulnerability details
TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "hour" parameter in setScheduleCfg.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in network device web interface directly enables remote exploitation of public-facing app (T1190) and Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly addresses the lack of sanitization in the 'hour' parameter by requiring validation of user inputs to prevent OS command injection.
SI-2 ensures timely remediation of the specific flaw in the setScheduleCfg function through firmware updates or patches.
SI-9 restricts the 'hour' parameter to valid values (e.g., integers 0-23), blocking malformed inputs that enable command injection.