Cyber Posture

CVE-2024-57211

HighPublic PoC

Published: 10 January 2025

Published
10 January 2025
Modified
03 April 2025
KEV Added
Patch
CVSS Score 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0085 75.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57211 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A6000R Firmware. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates the command injection vulnerability by requiring validation and sanitization of the unsanitized modifyOne parameter in the enable_wsh function.

SI-2 Flaw Remediation good match
prevent

Addresses the root cause by requiring timely identification, reporting, and correction of the specific flaw enabling arbitrary command execution in the router firmware.

SI-9 Information Input Restrictions good match
prevent

Prevents command injection by restricting the modifyOne parameter to valid inputs, blocking shell metacharacters and malformed data passed to the enable_wsh function.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

Command injection via web parameter in router firmware enables exploitation of public-facing application (T1190) and arbitrary command execution on the network device CLI (T1059.008).

NVD Description

TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the modifyOne parameter in the enable_wsh function.

Deeper analysisAI

CVE-2024-57211 is a command injection vulnerability (CWE-77) in the TOTOLINK A6000R router, specifically version V1.0.1-B20201211.2000. The issue resides in the enable_wsh function, where the modifyOne parameter fails to properly sanitize user input, allowing arbitrary command execution.

The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). An attacker with adjacent network access (AV:A) and low privileges (PR:L) can exploit it with low complexity and no user interaction, achieving high impacts on confidentiality, integrity, and availability in the unchanged scope. Successful exploitation enables remote command injection, potentially leading to full router compromise.

References point to a GitHub repository documenting the vulnerability and proof-of-concept: https://github.com/yanggao017/vuln/blob/main/TOTOLINK/A6000R/CI_11_enable_wsh/README.md. No vendor advisories or patches are specified in the available details.

Details

CWE(s)
CWE-77

Affected Products

totolink
a6000r firmware
1.0.1-b20201211.2000

CVEs Like This One

CVE-2025-52046Same vendor: Totolink
CVE-2025-61044Same vendor: Totolink
CVE-2025-55591Same vendor: Totolink
CVE-2026-4497Same vendor: Totolink
CVE-2026-5105Same vendor: Totolink
CVE-2026-2167Same vendor: Totolink
CVE-2026-5030Same vendor: Totolink
CVE-2025-8937Same vendor: Totolink
CVE-2026-5176Same vendor: Totolink
CVE-2026-5178Same vendor: Totolink

References