Login Sign Up

CVE-2024-24326

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in TOTOLINK A3300R routers that allows attackers to execute arbitrary commands on the device. The vulnerability exists in the setStaticDhcpRules function via the arpEnable parameter. This affects users of TOTOLINK A3300R routers with the vulnerable firmware version.

💻 Affected Systems

Products:
  • TOTOLINK A3300R
Versions: V17.0.0cu.557_B20221024
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface. The vulnerability is present in the default configuration.

📦 What is this software?

A3300r Firmware by Totolink

View all CVEs affecting A3300r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and participation in botnets.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept network traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and proper network segmentation is implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authentication to the web interface. The GitHub reference contains technical details about the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

Check TOTOLINK official website for firmware updates. If available, download the latest firmware and upload via the web management interface under System Tools > Firmware Upgrade.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to the web management interface

Access router web interface > Advanced > System Tools > Administration > Disable 'Remote Management'

Change default credentials

all

Use strong, unique passwords for router administration

Access router web interface > Advanced > System Tools > Administration > Change admin password

🧯 If You Can't Patch

  • Segment the router on a dedicated VLAN with strict firewall rules limiting inbound/outbound traffic
  • Implement network monitoring to detect unusual command execution patterns or unexpected outbound connections

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface: Advanced > Status > Device Info > Firmware Version

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Verify firmware version is newer than V17.0.0cu.557_B20221024

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in system logs
  • Multiple failed login attempts followed by successful login
  • Unexpected configuration changes

Network Indicators:

  • Unusual outbound connections from router IP
  • Traffic to known malicious IPs from router
  • Unexpected DNS queries

SIEM Query:

source="router_logs" AND (command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")

📊 Metadata

CVE ID: CVE-2024-24326
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: January 30, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24326, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)