Login Sign Up

CVE-2024-7171

6.3 MEDIUM
Remote Code Execution

📋 TL;DR

This critical vulnerability in TOTOLINK A3600R routers allows remote attackers to execute arbitrary operating system commands via command injection in the NTPSyncWithHost function. Attackers can exploit this to gain full control of affected devices. All users of TOTOLINK A3600R routers with the vulnerable firmware are affected.

💻 Affected Systems

Products:
  • TOTOLINK A3600R
Versions: 4.1.2cu.5182_B20201102
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface accessible via HTTP/HTTPS. No authentication bypass required for exploitation.

📦 What is this software?

A3600r Firmware by Totolink

View all CVEs affecting A3600r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, intercept traffic, or use the device as part of a botnet.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on GitHub. Attack requires sending specially crafted HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor was contacted but did not respond. Consider replacing affected devices or implementing strict network controls.

🔧 Temporary Workarounds

Block Access to Management Interface

linux

Restrict access to the router's web management interface from untrusted networks

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable NTP Sync Function

all

If possible, disable the vulnerable NTP synchronization function via configuration

🧯 If You Can't Patch

  • Isolate affected routers in a dedicated VLAN with strict firewall rules preventing outbound connections
  • Implement network monitoring for unusual traffic patterns from router IP addresses

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface at System Status > Firmware Version or via SSH: cat /proc/version

Check Version:

cat /proc/version | grep -i totolink

Verify Fix Applied:

No official fix available. Verify workarounds by testing if port 80/443 are accessible from untrusted networks.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /cgi-bin/cstecgi.cgi with NTPSyncWithHost parameter
  • Suspicious command execution in system logs

Network Indicators:

  • Unexpected outbound connections from router IP
  • Traffic to known malicious IPs from router

SIEM Query:

source="router.log" AND "NTPSyncWithHost" AND ("hostTime=" OR "command=")

📊 Metadata

CVE ID: CVE-2024-7171
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-78
Published: July 28, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7171, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)