Login Sign Up

CVE-2024-31807

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on TOTOLINK EX200 routers by sending specially crafted requests to the NTPSyncWithHost function. Attackers can take full control of affected devices without authentication. All users running vulnerable firmware versions are affected.

💻 Affected Systems

Products:
  • TOTOLINK EX200
Versions: V4.0.3c.7646_B20201211
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the specific firmware version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Ex200 Firmware by Totolink

View all CVEs affecting Ex200 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept network traffic, deploy malware to connected devices, pivot to internal networks, and establish persistent backdoors.

🟠

Likely Case

Router takeover leading to network monitoring, DNS hijacking, credential theft, and potential lateral movement to connected devices.

🟢

If Mitigated

Limited impact if device is behind firewall with strict inbound filtering and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing devices immediate targets.
🏢 Internal Only: MEDIUM - Internal devices are still vulnerable to attackers who gain initial network access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept exists in GitHub repository, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router administration interface

Network segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

  • Place router behind firewall with strict inbound filtering rules
  • Implement network monitoring for suspicious traffic to router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or Firmware Upgrade section

Check Version:

Login to router web interface and navigate to System Status page

Verify Fix Applied:

Verify firmware version has been updated to a version later than V4.0.3c.7646_B20201211

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to NTPSyncWithHost endpoint
  • Multiple failed login attempts followed by successful exploitation

Network Indicators:

  • Unexpected outbound connections from router
  • Suspicious traffic patterns to/from router management interface

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/NTPSyncWithHost" OR method="POST" AND uri CONTAINS "NTPSyncWithHost")

📊 Metadata

CVE ID: CVE-2024-31807
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: April 8, 2024
Last Updated: March 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31807, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)