Cyber Resilience

CVE-2024-57211

HighPublic PoC

Published: 10 January 2025

Published
10 January 2025
Modified
03 April 2025
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0115 78.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57211 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A6000R Firmware. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-57211 is a command injection vulnerability (CWE-77) in the TOTOLINK A6000R router, specifically version V1.0.1-B20201211.2000. The issue resides in the enable_wsh function, where the modifyOne parameter fails to properly sanitize user input, allowing arbitrary command execution.

The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). An attacker with adjacent network access (AV:A) and low privileges (PR:L) can exploit it with low complexity and no user interaction, achieving high impacts on confidentiality, integrity, and availability in the unchanged scope. Successful exploitation enables remote command injection, potentially leading to full router compromise.

References point to a GitHub repository documenting the vulnerability and proof-of-concept: https://github.com/yanggao017/vuln/blob/main/TOTOLINK/A6000R/CI_11_enable_wsh/README.md. No vendor advisories or patches are specified in the available details.

EU & UK References

Vulnerability details

TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the modifyOne parameter in the enable_wsh function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Command injection via web parameter in router firmware enables exploitation of public-facing application (T1190) and arbitrary command execution on the network device CLI (T1059.008).

CVEs Like This One

CVE-2025-52046Same vendor: Totolink
CVE-2025-55591Same vendor: Totolink
CVE-2025-61044Same vendor: Totolink
CVE-2026-5030Same vendor: Totolink
CVE-2026-5178Same vendor: Totolink
CVE-2026-1150Same vendor: Totolink
CVE-2026-5020Same vendor: Totolink
CVE-2026-1548Same vendor: Totolink
CVE-2026-1326Same vendor: Totolink
CVE-2026-5105Same vendor: Totolink

Affected Assets

totolink
a6000r firmware
1.0.1-b20201211.2000

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the command injection vulnerability by requiring validation and sanitization of the unsanitized modifyOne parameter in the enable_wsh function.

prevent

Addresses the root cause by requiring timely identification, reporting, and correction of the specific flaw enabling arbitrary command execution in the router firmware.

prevent

Prevents command injection by restricting the modifyOne parameter to valid inputs, blocking shell metacharacters and malformed data passed to the enable_wsh function.

References