CVE-2024-54907 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on TOTOLINK A3002R routers via the formWsc function in the /bin/boa web server. Attackers can take full control of affected devices without authentication. Only TOTOLINK A3002R routers running the specific vulnerable firmware version are affected.

💻 Affected Systems

Products:

TOTOLINK A3002R

Versions: V4.0.0-B20230531.1404

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Only this specific firmware version is confirmed vulnerable. Other versions may also be affected but not verified.

📦 What is this software?

A3002r Firmware by Totolink

View all CVEs affecting A3002r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent malware, pivot to internal networks, intercept all network traffic, or brick the device.

🟠

Likely Case

Attackers gain shell access to install cryptocurrency miners, create botnet nodes, or steal credentials from connected devices.

🟢

If Mitigated

If network segmentation and strict firewall rules are in place, impact is limited to the router itself without lateral movement.

🌐 Internet-Facing: HIGH - The vulnerability is in the web management interface typically exposed to the internet, requires no authentication, and has public exploit code.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to gain router control, but external exposure is the primary concern.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repository contains working exploit code. Exploitation requires sending crafted HTTP requests to the router's web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates
2. Download latest firmware for A3002R
3. Access router admin panel
4. Navigate to firmware upgrade section
5. Upload and apply new firmware
6. Reboot router after update

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Access router admin panel -> System -> Remote Management -> Disable

Firewall Block Web Interface

linux

Block external access to router web ports (typically 80/443)

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Implement network monitoring for suspicious HTTP requests to router IP

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin panel under System -> Firmware Upgrade. If version matches V4.0.0-B20230531.1404, device is vulnerable.

Check Version:

curl -s http://router-ip/cgi-bin/version or check web interface

Verify Fix Applied:

After firmware update, verify version no longer matches vulnerable version and test if exploit POC no longer works.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /cgi-bin/formWsc
Multiple failed login attempts followed by successful access
Suspicious process execution in router logs

Network Indicators:

HTTP requests with shell command patterns in parameters
Outbound connections from router to suspicious IPs
Unusual traffic patterns from router management interface

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/formWsc" OR cmd="boa")

📊 Metadata

CVE ID: CVE-2024-54907

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: December 26, 2024

Last Updated: April 9, 2025

🔗 References

https://github.com/MnrikSrins/totolink_A3002R_RCE Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-54907, you might also want to check these: