Login Sign Up

CVE-2024-8577

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This critical buffer overflow vulnerability in TOTOLINK AC1200 routers allows remote attackers to execute arbitrary code by sending specially crafted requests to the setStaticDhcpRules function. Attackers can exploit this without authentication to potentially take complete control of affected devices. All users of vulnerable TOTOLINK AC1200 T8 and T10 routers with specific firmware versions are affected.

💻 Affected Systems

Products:
  • TOTOLINK AC1200 T8
  • TOTOLINK AC1200 T10
Versions: 4.1.5cu.861_B20230220 and 4.1.8cu.5207
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration; no special settings required

📦 What is this software?

T10 Firmware by Totolink

View all CVEs affecting T10 Firmware →

T8 Firmware by Totolink

View all CVEs affecting T8 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistence installation, network pivoting, and data exfiltration

🟠

Likely Case

Device takeover enabling man-in-the-middle attacks, credential theft, and botnet recruitment

🟢

If Mitigated

Limited impact if devices are isolated behind firewalls with strict inbound filtering

🌐 Internet-Facing: HIGH - Exploitable remotely without authentication, public exploit available
🏢 Internal Only: HIGH - Once inside network, attackers can easily exploit vulnerable devices

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on GitHub; remote exploitation requires no authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates 2. Download latest firmware 3. Upload via router admin interface 4. Reboot device

🔧 Temporary Workarounds

Network Segmentation

all

Isolate vulnerable routers from internet and critical internal networks

Access Control Lists

linux

Block external access to router web interface (port 80/443)

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Replace vulnerable devices with patched alternatives
  • Implement strict network segmentation and firewall rules to limit exposure

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface or via SSH: cat /proc/version

Check Version:

ssh admin@router-ip 'cat /proc/version' or check web interface

Verify Fix Applied:

Verify firmware version is newer than affected versions

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /cgi-bin/cstecgi.cgi
  • Multiple failed buffer overflow attempts
  • Unexpected device reboots

Network Indicators:

  • HTTP requests with long desc parameters to router IP
  • Traffic spikes to router management interface

SIEM Query:

source="router.log" AND (uri="/cgi-bin/cstecgi.cgi" AND method="POST" AND size>1000)

📊 Metadata

CVE ID: CVE-2024-8577
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-120
Published: September 8, 2024
Last Updated: September 9, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8577, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)