Login Sign Up

CVE-2024-8076

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This critical vulnerability in TOTOLINK AC1200 T8 routers allows remote attackers to execute arbitrary code via a buffer overflow in the setDiagnosisCfg function. Attackers can exploit this without authentication to potentially take full control of affected devices. All users running the vulnerable firmware version are at risk.

💻 Affected Systems

Products:
  • TOTOLINK AC1200 T8
Versions: 4.1.5cu.862_B20230228
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running this specific firmware version are vulnerable by default. The setDiagnosisCfg function is accessible via web interface.

📦 What is this software?

T8 Firmware by Totolink

View all CVEs affecting T8 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent backdoor installation, network traffic interception, lateral movement to internal networks, and botnet recruitment.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, and use as pivot point for internal network attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept available on GitHub demonstrates remote exploitation. Attack requires no authentication and has low complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates. 2. Download latest firmware. 3. Log into router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot device.

🔧 Temporary Workarounds

Network Isolation

all

Place vulnerable routers behind firewalls with strict inbound filtering

Access Restriction

all

Disable remote administration and restrict web interface access to trusted IPs only

🧯 If You Can't Patch

  • Replace vulnerable devices with supported models from different vendors
  • Implement network segmentation to isolate vulnerable routers from critical assets

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Status or About page

Check Version:

curl -s http://router-ip/ | grep -i firmware || ssh admin@router-ip 'cat /proc/version'

Verify Fix Applied:

Verify firmware version has changed from 4.1.5cu.862_B20230228 to a newer version

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to setDiagnosisCfg endpoint
  • Multiple failed buffer overflow attempts
  • Unexpected process crashes or reboots

Network Indicators:

  • Unusual outbound connections from router
  • Traffic patterns suggesting command and control communication
  • Port scanning originating from router

SIEM Query:

source="router_logs" AND (uri="*setDiagnosisCfg*" OR message="*buffer*overflow*")

📊 Metadata

CVE ID: CVE-2024-8076
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-120
Published: August 22, 2024
Last Updated: December 13, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8076, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)