Login Sign Up

CVE-2024-32355

8.0 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on TOTOLINK X5000R routers by injecting malicious commands into the 'password' parameter of the setSSServer function. Attackers can gain full control of affected devices, potentially compromising network security. Only users of specific TOTOLINK X5000R router versions are affected.

💻 Affected Systems

Products:
  • TOTOLINK X5000R
Versions: V9.1.0cu.2350_B20230313
Operating Systems: Embedded router OS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration. No special configuration required for exploitation.

📦 What is this software?

X5000r Firmware by Totolink

View all CVEs affecting X5000r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data exfiltration, lateral movement to other devices, and persistent backdoor installation.

🟠

Likely Case

Router compromise allowing traffic interception, DNS manipulation, credential theft, and use as attack platform.

🟢

If Mitigated

Limited impact if device is isolated, not internet-facing, and has strict network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them prime targets for remote exploitation.
🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept available. Exploitation requires network access to router web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload new firmware file. 6. Wait for reboot.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router administration interface

Network Segmentation

all

Isolate router management interface to trusted network segment only

🧯 If You Can't Patch

  • Replace affected devices with patched or different model routers
  • Implement strict network access controls and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is V9.1.0cu.2350_B20230313, device is vulnerable.

Check Version:

Check router web interface at http://[router-ip]/ or use telnet/ssh if available

Verify Fix Applied:

Verify firmware version has been updated to a version later than V9.1.0cu.2350_B20230313.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in router logs
  • Multiple failed login attempts to admin interface
  • Unexpected configuration changes

Network Indicators:

  • Unusual outbound connections from router
  • Traffic to unexpected destinations
  • Port scanning originating from router

SIEM Query:

source="router_logs" AND ("command injection" OR "setSSServer" OR unusual_admin_access)

📊 Metadata

CVE ID: CVE-2024-32355
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: May 14, 2024
Last Updated: April 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32355, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)