CVE-2024-32350 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2024-32350?

CVE-2024-32350 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated attackers to execute arbitrary commands on TOTOLINK X5000R routers by exploiting improper input validation in the ipsecPsk parameter. Attackers with valid credentials can gain full system control. Only TOTOLINK X5000R routers running the affected firmware are impacted.

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary commands on TOTOLINK X5000R routers by exploiting improper input validation in the ipsecPsk parameter. Attackers with valid credentials can gain full system control. Only TOTOLINK X5000R routers running the affected firmware are impacted.

💻 Affected Systems

Products:

TOTOLINK X5000R

Versions: V9.1.0cu.2350_B20230313

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authentication to exploit, but default credentials may be present.

📦 What is this software?

X5000r Firmware by Totolink

View all CVEs affecting X5000r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept network traffic, pivot to internal networks, install persistent backdoors, or use the device for botnet activities.

🟠

Likely Case

Attackers with stolen or default credentials execute commands to reconfigure the router, steal credentials, or deploy malware on connected devices.

🟢

If Mitigated

Limited to authenticated users only, with proper credential management reducing attack surface.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authentication but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates. 2. Download latest firmware. 3. Upload via router admin interface. 4. Reboot router.

🔧 Temporary Workarounds

Disable Remote Administration

all

Prevent external access to router administration interface

Change Default Credentials

all

Use strong, unique passwords for router admin accounts

🧯 If You Can't Patch

Isolate affected routers in separate network segments
Implement strict firewall rules to limit access to router administration interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is V9.1.0cu.2350_B20230313, device is vulnerable.

Check Version:

Check router web interface or use nmap to identify device version

Verify Fix Applied:

Verify firmware version has been updated to a version newer than V9.1.0cu.2350_B20230313.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to cstecgi.cgi with ipsecPsk parameter
Multiple failed login attempts followed by successful authentication

Network Indicators:

Unusual outbound connections from router
Traffic patterns suggesting command execution

SIEM Query:

source_ip="router_ip" AND (uri="*/cstecgi.cgi*" OR method="POST" AND params CONTAINS "ipsecPsk")

📊 Metadata

CVE ID: CVE-2024-32350

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: May 14, 2024

Last Updated: April 4, 2025

🔗 References

https://github.com/1s1and123/Vulnerabilities/blob/main/device/ToToLink/X5000R/TOTOLink_X5000R_RCE.md Exploit,Third Party Advisory
https://www.totolink.net/ Product
https://github.com/1s1and123/Vulnerabilities/blob/main/device/ToToLink/X5000R/TOTOLink_X5000R_RCE.md Exploit,Third Party Advisory
https://www.totolink.net/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32350, you might also want to check these: