CVE-2024-7214
Published: 30 July 2024
Summary
CVE-2024-7214 is a medium-severity Command Injection (CWE-77) vulnerability in Totolink Lr350 Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-7214 is a command injection vulnerability classified under CWE-77 in the TOTOLINK LR350 router firmware version 9.3.5u.6369_B20220309. It resides in the setWanCfg function within /cgi-bin/cstecgi.cgi, where unsanitized input to the hostName argument allows arbitrary command execution.
The flaw can be triggered remotely by an authenticated attacker who supplies a crafted hostName value, resulting in command injection with limited effects on confidentiality, integrity, and availability as reflected in its CVSS 4.0 score of 5.3. Public exploit code has been released, enabling potential unauthorized command execution on affected devices.
References such as the GitHub disclosure and Vuldb entries detail the issue and proof-of-concept, yet the vendor received early notification and provided no response or patch information. The associated EPSS score has remained flat at 0.0584 with no material rise since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-48181
Vulnerability details
A vulnerability has been found in TOTOLINK LR350 9.3.5u.6369_B20220309 and classified as critical. Affected by this vulnerability is the function setWanCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument hostName leads to command injection. The attack can be launched…
more
remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272785 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.