CVE-2024-23060 in A3300Rinfo

Summary

by MITRE • 01/11/2024

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the ip parameter in the setDmzCfg function.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 06/17/2025

The vulnerability identified as CVE-2024-23060 represents a critical command injection flaw within the TOTOLINK A3300R router firmware version V17.0.0cu.557_B20221024. This vulnerability exists in the web interface's setDmzCfg function where the ip parameter is improperly handled, allowing remote attackers to execute arbitrary commands on the affected device. The flaw stems from insufficient input validation and sanitization of user-supplied parameters, creating an avenue for malicious actors to inject and execute system commands with the privileges of the web server process.

The technical implementation of this vulnerability places the affected device at significant risk as the command injection occurs within the router's administration interface. When a user submits a malformed ip parameter to the setDmzCfg function, the system fails to properly sanitize the input before incorporating it into system commands. This allows attackers to append malicious commands that get executed by the underlying operating system, potentially enabling complete system compromise. The vulnerability specifically targets the Dynamic Host Configuration Protocol (DHCP) and DMZ configuration settings, which are critical network functions that control device connectivity and security policies.

From an operational perspective, this vulnerability presents severe implications for network security and device integrity. Attackers can leverage this flaw to gain unauthorized access to the router's administrative functions, potentially enabling them to modify network configurations, establish persistent backdoors, or use the compromised device as a pivot point for attacking other systems within the network. The impact extends beyond individual device compromise as routers serve as gateway points for network traffic, making them prime targets for attackers seeking to establish persistent access to entire network segments. This vulnerability aligns with CWE-77 and CWE-94 categories, specifically addressing command injection weaknesses that allow arbitrary code execution through improper input handling.

The exploitation of this vulnerability requires minimal prerequisites and can be executed remotely without authentication, making it particularly dangerous for deployed network infrastructure. Network defenders should consider this vulnerability in the context of ATT&CK framework techniques such as T1059.001 for command and scripting interpreter and T1021.001 for remote services, as it enables attackers to execute commands and establish remote access capabilities. Mitigation strategies should include immediate firmware updates from TOTOLINK, network segmentation to limit access to administrative interfaces, and implementation of network monitoring to detect anomalous command execution patterns. Additionally, organizations should enforce strict input validation controls and implement web application firewalls to prevent malicious parameter injection attempts. The vulnerability demonstrates the critical importance of proper input sanitization and access control mechanisms in network device management interfaces, as highlighted in industry standards such as NIST SP 800-53 and ISO/IEC 27001 security requirements for secure network device configuration and operation.

Reservation

01/11/2024

Disclosure

01/11/2024

Moderation

accepted

CPE

ready

EPSS

0.01700

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!