Login Sign Up

CVE-2024-34257

9.8 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary commands on TOTOLINK EX1800T routers by exploiting the apcliEncrypType parameter. Successful exploitation grants administrator privileges, enabling complete device compromise. Only users of specific TOTOLINK EX1800T firmware versions are affected.

💻 Affected Systems

Products:
  • TOTOLINK EX1800T
Versions: V9.1.0cu.2112_B20220316
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the specific firmware version only; other versions may be vulnerable but unconfirmed.

📦 What is this software?

Ex1800t Firmware by Totolink

View all CVEs affecting Ex1800t Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full administrative control over the router, enabling traffic interception, network pivoting, malware deployment, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, and network surveillance.

🟢

If Mitigated

Limited impact if device is isolated behind firewalls with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - Directly exploitable over network without authentication.
🏢 Internal Only: HIGH - Exploitable from any network segment with access to the device.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept available in GitHub repositories; exploitation requires network access to the device's web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Monitor TOTOLINK website for firmware updates and apply immediately when released.

🔧 Temporary Workarounds

Network Isolation

all

Place affected routers behind firewalls with strict inbound/outbound rules, limiting access to trusted IPs only.

Disable Remote Management

all

Turn off remote administration features and ensure web interface is only accessible from internal network.

🧯 If You Can't Patch

  • Replace affected devices with patched or alternative models
  • Implement strict network segmentation to isolate vulnerable devices from critical assets

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Status or Administration settings.

Check Version:

Login to router web interface and navigate to System Status page.

Verify Fix Applied:

Verify firmware version has been updated to a version later than V9.1.0cu.2112_B20220316.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /cgi-bin/cstecgi.cgi with apcliEncrypType parameter containing shell commands
  • Unexpected process execution or configuration changes

Network Indicators:

  • HTTP requests with command injection patterns in parameters
  • Unusual outbound connections from router

SIEM Query:

http.method:POST AND http.uri:"/cgi-bin/cstecgi.cgi" AND http.param:"apcliEncrypType" AND (http.param:*"|"* OR http.param:*"$"* OR http.param:*";"*)

📊 Metadata

CVE ID: CVE-2024-34257
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-285
Published: May 8, 2024
Last Updated: May 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34257, you might also want to check these:

CVE-2025-65041 10.0

CVE-2025-65041 is an improper authorization vulnerability in Microsoft Partner Center that allows un...

Same vulnerability type (CWE-285)
CVE-2021-37705 10.0

CVE-2021-37705 is an authorization bypass vulnerability in OneFuzz that allows authenticated users f...

Same vulnerability type (CWE-285)
CVE-2023-33189 10.0

CVE-2023-33189 is an authorization bypass vulnerability in Pomerium identity-aware access proxy. Att...

Same vulnerability type (CWE-285)