Login Sign Up

CVE-2024-28404

8.0 HIGH
Cross-Site Scripting

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in TOTOLINK X2000R routers allows attackers to inject malicious scripts into the MAC Filtering configuration page. When administrators view the firewall page, the scripts execute in their browser context, potentially compromising router administration. This affects all users running vulnerable firmware versions.

💻 Affected Systems

Products:
  • TOTOLINK X2000R
Versions: All versions before V1.0.0-B20231213.1013
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in web administration interface; requires admin access to exploit but affects all users viewing the compromised page.

📦 What is this software?

X2000r Firmware by Totolink

View all CVEs affecting X2000r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account takeover leading to full router compromise, network traffic interception, credential theft, and lateral movement to connected devices.

🟠

Likely Case

Session hijacking of administrator accounts, configuration changes, and installation of backdoors on the router.

🟢

If Mitigated

Limited impact with proper network segmentation and admin access restrictions, though XSS could still enable limited privilege escalation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated admin access to inject payload; public proof-of-concept demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V1.0.0-B20231213.1013 or later

Vendor Advisory: https://www.totolink.net/home/menu/detail/menu_listtpl/products/id/242/ids/33.html

Restart Required: Yes

Instructions:

1. Download latest firmware from TOTOLINK website. 2. Log into router admin interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload new firmware file. 5. Wait for automatic reboot.

🔧 Temporary Workarounds

Disable MAC Filtering

all

Remove or disable MAC filtering functionality to eliminate attack surface

Restrict Admin Access

all

Limit router admin interface access to specific IP addresses only

🧯 If You Can't Patch

  • Isolate router management interface on separate VLAN with strict access controls
  • Implement web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Status > Firmware Version

Check Version:

No CLI command; check via web interface at System Status page

Verify Fix Applied:

Confirm firmware version is V1.0.0-B20231213.1013 or later in System Status

📡 Detection & Monitoring

Log Indicators:

  • Unusual MAC address entries in firewall logs
  • Multiple failed login attempts followed by configuration changes

Network Indicators:

  • Unexpected JavaScript payloads in HTTP POST requests to /cgi-bin/cstecgi.cgi
  • Suspicious outbound connections from router

SIEM Query:

source="router_logs" AND ("MAC Filtering" OR "cstecgi.cgi") AND ("script" OR "javascript" OR "onerror")

📊 Metadata

CVE ID: CVE-2024-28404
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H
CWE: CWE-79
Published: March 15, 2024
Last Updated: April 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28404, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)