CRITICAL🇵🇱 Wersja polska

CVE-2024-37637

CVSS 9.8v3.1pub. 2024-06-14upd. 2025-04-03

TOTOLINK A3700R V9.1.2u.6165_20211012 was discovered to contain a stack overflow via ssid5g in the function setWizardCfg.

🤖 AI Analysis
How it works

An attacker sends a network request containing an excessively long value of the ssid5g parameter to the setWizardCfg function in the router's firmware. The function copies input data to a stack buffer without verifying its length (CWE-120 — lack of bounds checking), leading to stack overflow. This enables overwriting data that controls program execution flow and potential execution of arbitrary code.

Impact

A remote, unauthenticated attacker can trigger arbitrary code execution (RCE) on the device or cause its failure (denial of service), gaining full control over the router, including access to network configuration and traffic.

Mitigation & patch

Apply patches available from the manufacturer according to references. Until an update is applied, it is recommended to restrict access to the device management interface exclusively to trusted IP addresses and isolate the device from unauthorized network traffic.

Who is affected

TOTOLINK A3700R with firmware version V9.1.2u.6165_20211012

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Totolink A3700r

    HW
    Totolink
    wszystkie wersje
  • Totolink A3700r Firmware

    OS
    Totolink
    9.1.2u.6165_20211012
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-42545CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w parametrze ssid funkcji setWizardCfg — TOTOLINK A3700R

CVE-2024-42543CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w TOTOLINK A3700R — parametr http_host w funkcji loginauth

CVE-2024-37632CRITICAL9.8PL ✓ten sam produkt

Stack overflow w TOTOLINK A3700R — podatność w funkcji loginAuth

CVE-2024-37635CRITICAL9.8PL ✓ten sam produkt

Stack overflow w TOTOLINK A3700R — funkcja setWiFiBasicCfg (ssid)

CVE-2024-37634CRITICAL9.8PL ✓ten sam produkt

Stack overflow w TOTOLINK A3700R — funkcja setWiFiEasyCfg (parametr ssid)