CRITICAL🇵🇱 Wersja polska

CVE-2024-22529

CVSS 9.8v3.1pub. 2024-01-25upd. 2025-06-04

TOTOLINK X2000R_V2 V2.0.0-B20230727.10434 has a command injection vulnerability in the sub_449040 (handle function of formUploadFile) of /bin/boa.

🤖 AI Analysis
How it works

The vulnerability is located in the sub_449040 function, which is the formUploadFile handler in the web server process /bin/boa. This function does not properly filter user-supplied input data during file upload, which allows injection of arbitrary system commands. An attacker can craft an appropriate HTTP request and submit it to the device management interface without the need for authentication.

Impact

Successful exploitation of the vulnerability allows an attacker to remotely execute arbitrary commands with the privileges of the web server process, which in practice may result in complete takeover of the device, violation of confidentiality, integrity, and availability of the system.

Mitigation & patch

Patches available from the manufacturer should be applied in accordance with the references. Until updates are applied, it is recommended to restrict access to the device management panel exclusively to trusted networks or IP addresses and to disable access to the administrative interface from the WAN side.

Who is affected

TOTOLINK X2000R_V2 with firmware version V2.0.0-B20230727.10434

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Totolink X2000r

    HW
    Totolink
    v2
  • Totolink X2000r Firmware

    OS
    Totolink
    2.0.0-b20230727.10434
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-51136CRITICAL9.8PL ✓ten sam produkt

Stack overflow w TOTOLINK X2000R przez funkcję formRebootSchedule

CVE-2023-51135CRITICAL9.8PL ✓ten sam produkt

Stack overflow w TOTOLINK X2000R — podatność w funkcji formPasswordSetup

CVE-2023-51133CRITICAL9.8PL ✓ten sam produkt

Stack overflow w TOTOLINK X2000R — funkcja formRoute umożliwia RCE

CVE-2023-46542CRITICAL9.8ten sam produkt

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formM...

CVE-2023-46544CRITICAL9.8ten sam produkt

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formW...