Cyber Resilience

CVE-2024-7214

MediumPublic PoC

Published: 30 July 2024

Published
30 July 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0584 90.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7214 is a medium-severity Command Injection (CWE-77) vulnerability in Totolink Lr350 Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-7214 is a command injection vulnerability classified under CWE-77 in the TOTOLINK LR350 router firmware version 9.3.5u.6369_B20220309. It resides in the setWanCfg function within /cgi-bin/cstecgi.cgi, where unsanitized input to the hostName argument allows arbitrary command execution.

The flaw can be triggered remotely by an authenticated attacker who supplies a crafted hostName value, resulting in command injection with limited effects on confidentiality, integrity, and availability as reflected in its CVSS 4.0 score of 5.3. Public exploit code has been released, enabling potential unauthorized command execution on affected devices.

References such as the GitHub disclosure and Vuldb entries detail the issue and proof-of-concept, yet the vendor received early notification and provided no response or patch information. The associated EPSS score has remained flat at 0.0584 with no material rise since disclosure.

EU & UK References

Vulnerability details

A vulnerability has been found in TOTOLINK LR350 9.3.5u.6369_B20220309 and classified as critical. Affected by this vulnerability is the function setWanCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument hostName leads to command injection. The attack can be launched…

more

remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272785 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
lr350 firmware
9.3.5u.6369_b20220309

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References