Login Sign Up

CVE-2024-23058

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in TOTOLINK A3300R routers that allows attackers to execute arbitrary commands via the pass parameter in the setTr069Cfg function. Attackers can gain full control of affected devices, potentially compromising entire networks. Users of TOTOLINK A3300R routers with vulnerable firmware are affected.

💻 Affected Systems

Products:
  • TOTOLINK A3300R
Versions: V17.0.0cu.557_B20221024
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects routers with TR-069 configuration enabled. The vulnerability is in the web interface/management component.

📦 What is this software?

A3300r Firmware by Totolink

View all CVEs affecting A3300r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data exfiltration, ransomware deployment, and use as botnet node for DDoS attacks.

🟠

Likely Case

Router compromise allowing traffic interception, credential theft, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact if device is isolated, patched, or has strict network segmentation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authentication to the router's web interface. The GitHub reference contains technical details about the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable TR-069 remote management

all

Turn off TR-069 configuration feature to prevent exploitation via vulnerable parameter

Restrict admin interface access

all

Limit access to router admin interface to trusted IP addresses only

🧯 If You Can't Patch

  • Isolate affected routers in separate VLAN with strict firewall rules
  • Implement network segmentation to limit lateral movement from compromised routers

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface. If version is V17.0.0cu.557_B20221024, device is vulnerable.

Check Version:

Login to router admin interface and check System Status or Firmware Information page

Verify Fix Applied:

Verify firmware version has been updated to a version later than V17.0.0cu.557_B20221024

📡 Detection & Monitoring

Log Indicators:

  • Unusual TR-069 configuration changes
  • Multiple failed login attempts followed by successful login
  • Suspicious command execution in system logs

Network Indicators:

  • Unexpected outbound connections from router
  • Traffic to known malicious IPs from router
  • Unusual port scanning originating from router

SIEM Query:

source="router_logs" AND (event="setTr069Cfg" OR event="configuration_change") AND user!="admin"

📊 Metadata

CVE ID: CVE-2024-23058
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: January 11, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23058, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)