Login Sign Up

CVE-2024-57017

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary operating system commands on TOTOLINK X5000R routers by injecting malicious commands through the 'pass' parameter in the setVpnAccountCfg function. Attackers can gain full control of affected devices, potentially compromising network security. Only users of specific TOTOLINK X5000R router versions are affected.

💻 Affected Systems

Products:
  • TOTOLINK X5000R
Versions: V9.1.0cu.2350_B20230313
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to VPN configuration interface. Default configurations may expose this interface.

📦 What is this software?

X5000r Firmware by Totolink

View all CVEs affecting X5000r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data exfiltration, lateral movement to other devices, and persistent backdoor installation.

🟠

Likely Case

Router compromise allowing traffic interception, credential theft, DNS manipulation, and use as attack platform against internal network.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted VPN access and proper network segmentation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Proof of concept available on GitHub. Requires authentication to VPN configuration interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor for latest firmware

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Visit TOTOLINK support website. 2. Download latest firmware for X5000R. 3. Log into router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable VPN functionality

all

Temporarily disable VPN services to prevent exploitation through vulnerable interface

Restrict VPN configuration access

all

Limit access to VPN configuration interface to trusted IP addresses only

🧯 If You Can't Patch

  • Isolate affected routers in separate VLAN with strict firewall rules
  • Implement network monitoring for unusual VPN configuration attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status

Check Version:

Login to router admin interface and check System Status page

Verify Fix Applied:

Verify firmware version is newer than V9.1.0cu.2350_B20230313

📡 Detection & Monitoring

Log Indicators:

  • Unusual VPN configuration changes
  • Suspicious commands in system logs
  • Multiple failed authentication attempts to admin interface

Network Indicators:

  • Unexpected outbound connections from router
  • VPN configuration traffic from unauthorized sources

SIEM Query:

source="router_logs" AND (event="vpn_config" OR command="setVpnAccountCfg") AND (user!="admin" OR command contains special characters)

📊 Metadata

CVE ID: CVE-2024-57017
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
EPSS Score: 6.95% exploit probability (91.2th percentile)
Published: January 15, 2025
Last Updated: March 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57017, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)