Login Sign Up

CVE-2024-57012

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary operating system commands on TOTOLINK X5000R routers by injecting malicious payloads into the 'week' parameter of the setScheduleCfg function. Attackers can gain full control of affected devices, potentially compromising network security. Users of TOTOLINK X5000R routers with vulnerable firmware are affected.

💻 Affected Systems

Products:
  • TOTOLINK X5000R
Versions: V9.1.0cu.2350_B20230313
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface of the router. No authentication bypass is required, but attackers need access to the interface.

📦 What is this software?

X5000r Firmware by Totolink

View all CVEs affecting X5000r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and participation in botnets.

🟠

Likely Case

Unauthorized command execution allowing configuration changes, credential theft, and network disruption.

🟢

If Mitigated

Limited impact if network segmentation, strict firewall rules, and proper access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires access to the router's web interface and knowledge of the vulnerable parameter. No public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check TOTOLINK for latest firmware updates

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Log into TOTOLINK router web interface. 2. Navigate to System Tools > Firmware Upgrade. 3. Download latest firmware from TOTOLINK website. 4. Upload and install firmware. 5. Reboot router after installation.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Network Segmentation

all

Isolate router management interface from untrusted networks

🧯 If You Can't Patch

  • Implement strict firewall rules to block all external access to router management interface
  • Monitor network traffic for unusual patterns and command injection attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under System Status > Firmware Version

Check Version:

Login to router web interface and navigate to System Status

Verify Fix Applied:

Verify firmware version has been updated to a version later than V9.1.0cu.2350_B20230313

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in system logs
  • Multiple failed login attempts followed by schedule configuration changes

Network Indicators:

  • Unusual outbound connections from router
  • Traffic patterns suggesting command and control communication

SIEM Query:

source="router_logs" AND ("setScheduleCfg" OR "week parameter" OR command_injection_indicators)

📊 Metadata

CVE ID: CVE-2024-57012
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
EPSS Score: 6.95% exploit probability (91.2th percentile)
Published: January 15, 2025
Last Updated: March 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57012, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)