Login Sign Up

CVE-2024-42748

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary operating system commands on TOTOLINK X5000r routers through command injection in the WiFi WPS configuration function. Attackers with valid credentials can send specially crafted packets to gain full system control. Only users of the specific router model and firmware version are affected.

💻 Affected Systems

Products:
  • TOTOLINK X5000r
Versions: v9.1.0cu.2350_b20230313
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the router's web interface or API.

📦 What is this software?

X5000r Firmware by Totolink

View all CVEs affecting X5000r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing installation of persistent backdoors, credential theft, network pivoting to internal systems, and participation in botnets.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential interception, and network traffic monitoring.

🟢

If Mitigated

Limited impact if strong authentication controls and network segmentation prevent unauthorized access to router management interface.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices with management interfaces accessible from WAN.
🏢 Internal Only: MEDIUM - Attackers need authentication, but internal threats or credential compromise could lead to exploitation.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Public GitHub repository contains detailed exploitation methodology and proof-of-concept.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable WPS functionality

all

Turn off WiFi Protected Setup feature to remove vulnerable code path

Restrict management interface access

all

Limit router admin access to specific IP addresses or disable remote management

🧯 If You Can't Patch

  • Segment router management interface to isolated VLAN with strict access controls
  • Implement network monitoring for unusual outbound connections or command execution patterns

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface and compare with vulnerable version v9.1.0cu.2350_b20230313

Check Version:

Login to router admin interface and navigate to System Status or About page

Verify Fix Applied:

Verify firmware version has been updated to a version newer than v9.1.0cu.2350_b20230313

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /cgi-bin/cstecgi.cgi with setWiFiWpsCfg parameters
  • Multiple failed authentication attempts followed by successful login

Network Indicators:

  • Unexpected outbound connections from router
  • Unusual traffic patterns from router management interface

SIEM Query:

source_ip=router_ip AND (uri_path="/cgi-bin/cstecgi.cgi" AND http_method=POST AND uri_query CONTAINS "setWiFiWpsCfg")

📊 Metadata

CVE ID: CVE-2024-42748
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: August 12, 2024
Last Updated: August 13, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42748, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)