Details of VAR-202403-2695

ID

VAR-202403-2695

CVE

CVE-2024-27521

TITLE

TOTOLINK of a3300r in the firmware OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2024-021725

DESCRIPTION

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain an unauthenticated remote command execution (RCE) vulnerability via multiple parameters in the "setOpModeCfg" function. This security issue allows an attacker to take complete control of the device. In detail, exploitation allows unauthenticated, remote attackers to execute arbitrary system commands with administrative privileges (i.e., as user "root"). TOTOLINK of a3300r The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK A3300R is a dual-band wireless router. Attackers can use this vulnerability to execute arbitrary system commands

Trust: 2.16

sources: NVD: CVE-2024-27521 // JVNDB: JVNDB-2024-021725 // CNVD: CNVD-2025-15271

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-15271

AFFECTED PRODUCTS

vendor:	totolink	model:	a3300r	scope:	eq	version:	17.0.0cu.557_b20221024	Trust: 1.0
vendor:	totolink	model:	a3300r	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a3300r	scope:	eq	version:	a3300r firmware 17.0.0cu.557 b20221024	Trust: 0.8
vendor:	totolink	model:	a3300r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	a3300r 17.0.0cu.557 b20221024	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-15271 // JVNDB: JVNDB-2024-021725 // NVD: CVE-2024-27521

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2024-27521
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2024-021725
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2025-15271
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-15271
severity:	HIGH
baseScore:	7.7
vectorString:	AV:A/AC:L/AU:S/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	5.1
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2024-27521
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.1
impactScore:	5.9
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2024-021725
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-15271 // JVNDB: JVNDB-2024-021725 // NVD: CVE-2024-27521

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-021725 // NVD: CVE-2024-27521

EXTERNAL IDS

db:	NVD	id:	CVE-2024-27521	Trust: 3.2
db:	JVNDB	id:	JVNDB-2024-021725	Trust: 0.8
db:	CNVD	id:	CNVD-2025-15271	Trust: 0.6

sources: CNVD: CNVD-2025-15271 // JVNDB: JVNDB-2024-021725 // NVD: CVE-2024-27521

REFERENCES

url:	https://github.com/spikereply/advisories/blob/main/cve/totolink/cve-2024-27521.md	Trust: 1.8
url:	https://m.totolink.net/portal/article/index/id/410.html	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2024-27521	Trust: 1.4

sources: CNVD: CNVD-2025-15271 // JVNDB: JVNDB-2024-021725 // NVD: CVE-2024-27521

SOURCES

db:	CNVD	id:	CNVD-2025-15271
db:	JVNDB	id:	JVNDB-2024-021725
db:	NVD	id:	CVE-2024-27521

LAST UPDATE DATE

2025-07-09T23:01:28.337000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-15271	date:	2025-07-08T00:00:00
db:	JVNDB	id:	JVNDB-2024-021725	date:	2025-04-09T08:17:00
db:	NVD	id:	CVE-2024-27521	date:	2025-04-08T15:27:09.643

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-15271	date:	2025-07-08T00:00:00
db:	JVNDB	id:	JVNDB-2024-021725	date:	2025-04-09T00:00:00
db:	NVD	id:	CVE-2024-27521	date:	2024-03-26T21:15:53.013