Sign-up

ID

VAR-202401-0476


CVE

CVE-2024-0293


TITLE

TOTOLINK  of  lr1200gb  in the firmware  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2024-001221

DESCRIPTION

A vulnerability classified as critical was found in Totolink LR1200GB 9.1.0u.6619_B20230130. Affected by this vulnerability is the function setUploadSetting of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument FileName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249859. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK of lr1200gb The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The TOTOLINK LR1200GB is a dual-band 4G LTE wireless router manufactured by TOTOLINK, a Chinese company. It supports both 2.4GHz and 5GHz dual-band networks and is primarily used to provide mobile broadband connectivity and Wi-Fi coverage. The TOTOLINK LR1200GB contains an operating system command injection vulnerability. This vulnerability stems from the fact that the FileName parameter of the setUploadSetting function on the /cgi-bin/cstecgi.cgi page fails to properly filter special characters and commands used in constructing commands. Detailed vulnerability information is currently unavailable

Trust: 2.25

sources: NVD: CVE-2024-0293 // JVNDB: JVNDB-2024-001221 // CNVD: CNVD-2025-30274 // VULMON: CVE-2024-0293

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2025-30274

AFFECTED PRODUCTS

vendor:totolinkmodel:lr1200gbscope:eqversion:9.1.0u.6619_b20230130

Trust: 1.0

vendor:totolinkmodel:lr1200gbscope:eqversion: -

Trust: 0.8

vendor:totolinkmodel:lr1200gbscope:eqversion:lr1200gb firmware 9.1.0u.6619 b20230130

Trust: 0.8

vendor:totolinkmodel:lr1200gbscope: - version: -

Trust: 0.8

vendor:totolinkmodel:lr1200gb 9.1.0u.6619 b20230130scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2025-30274 // JVNDB: JVNDB-2024-001221 // NVD: CVE-2024-0293

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com: CVE-2024-0293
value: MEDIUM

Trust: 1.0

nvd@nist.gov: CVE-2024-0293
value: CRITICAL

Trust: 1.0

NVD: CVE-2024-0293
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2025-30274
value: MEDIUM

Trust: 0.6

cna@vuldb.com: CVE-2024-0293
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

CNVD: CNVD-2025-30274
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

cna@vuldb.com: CVE-2024-0293
baseSeverity: MEDIUM
baseScore: 6.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 3.4
version: 3.1

Trust: 1.0

nvd@nist.gov: CVE-2024-0293
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2024-0293
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2025-30274 // JVNDB: JVNDB-2024-001221 // NVD: CVE-2024-0293 // NVD: CVE-2024-0293

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

problemtype:OS Command injection (CWE-78) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2024-001221 // NVD: CVE-2024-0293

PATCH

title:Patch for TOTOLINK LR1200GB setUploadSetting function operating system command injection vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/778491

Trust: 0.6

sources: CNVD: CNVD-2025-30274

EXTERNAL IDS

db:NVDid:CVE-2024-0293

Trust: 3.3

db:VULDBid:249859

Trust: 1.7

db:JVNDBid:JVNDB-2024-001221

Trust: 0.8

db:CNVDid:CNVD-2025-30274

Trust: 0.6

db:VULMONid:CVE-2024-0293

Trust: 0.1

sources: CNVD: CNVD-2025-30274 // VULMON: CVE-2024-0293 // JVNDB: JVNDB-2024-001221 // NVD: CVE-2024-0293

REFERENCES

url:https://github.com/jylsec/vuldb/blob/main/totolink/lr1200gb/setuploadsetting/readme.md

Trust: 1.9

url:https://vuldb.com/?id.249859

Trust: 1.7

url:https://vuldb.com/?ctiid.249859

Trust: 1.1

url:https://nvd.nist.gov/vuln/detail/cve-2024-0293

Trust: 0.8

url:https://cwe.mitre.org/data/definitions/78.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2025-30274 // VULMON: CVE-2024-0293 // JVNDB: JVNDB-2024-001221 // NVD: CVE-2024-0293

SOURCES

db:CNVDid:CNVD-2025-30274
db:VULMONid:CVE-2024-0293
db:JVNDBid:JVNDB-2024-001221
db:NVDid:CVE-2024-0293

LAST UPDATE DATE

2025-12-19T23:02:31.688000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2025-30274date:2025-12-09T00:00:00
db:VULMONid:CVE-2024-0293date:2024-01-08T00:00:00
db:JVNDBid:JVNDB-2024-001221date:2024-02-01T05:41:00
db:NVDid:CVE-2024-0293date:2024-05-17T02:34:29.473

SOURCES RELEASE DATE

db:CNVDid:CNVD-2025-30274date:2025-12-08T00:00:00
db:VULMONid:CVE-2024-0293date:2024-01-08T00:00:00
db:JVNDBid:JVNDB-2024-001221date:2024-02-01T00:00:00
db:NVDid:CVE-2024-0293date:2024-01-08T03:15:13.820