CVE-2024-57019
Published: 15 January 2025
Summary
CVE-2024-57019 is a high-severity OS Command Injection (CWE-78) vulnerability in Totolink X5000R Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 14.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires input validation at entry points like the 'limit' parameter to neutralize special elements and prevent OS command injection.
Mandates timely flaw remediation, including patching the firmware vulnerability in setVpnAccountCfg to eliminate the command injection flaw.
Enforces least privilege for low-privileged authenticated users, limiting the scope and impact of arbitrary OS commands executed through the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in setVpnAccountCfg directly enables arbitrary Unix shell command execution on the router firmware.
NVD Description
TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "limit" parameter in setVpnAccountCfg.
Deeper analysisAI
CVE-2024-57019 is an OS command injection vulnerability affecting the TOTOLINK X5000R router firmware version V9.1.0cu.2350_B20230313. The issue resides in the setVpnAccountCfg function, where the "limit" parameter fails to properly sanitize user input, allowing injection of arbitrary operating system commands. This flaw is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation.
An attacker requires low privileges, such as those of an authenticated user on the device, to exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation involves crafting a malicious request to the vulnerable endpoint, enabling arbitrary OS command execution. This grants high-impact privileges, compromising confidentiality through data exfiltration, integrity via unauthorized modifications, and availability by disrupting device operations, potentially leading to full router takeover.
Advisories reference a GitHub repository detailing the vulnerability, including likely proof-of-concept information at https://github.com/tiger5671/Vulnerabilities/blob/main/TOTOLINK%20X5000R/setVpnAccountCfg/setVpnAccountCfg.md, and the official TOTOLINK website at https://www.totolink.net/, where users should check for firmware updates or mitigation guidance. No specific patch details are provided in the CVE data.
Details
- CWE(s)