Details of VAR-202405-1423

ID

VAR-202405-1423

CVE

CVE-2024-32352

TITLE

TOTOLINK of X5000R Code injection vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2024-021754

DESCRIPTION

TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the "ipsecL2tpEnable" parameter in the "cstecgi.cgi" binary. TOTOLINK of X5000R A code injection vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK X5000R is a router of China's TOTOLINK Electronics. The vulnerability is caused by the ipsecL2tpEnable parameter of cstecgi.cgi failing to properly filter special elements of the constructed code segment. An attacker can exploit this vulnerability to cause arbitrary code execution

Trust: 2.16

sources: NVD: CVE-2024-32352 // JVNDB: JVNDB-2024-021754 // CNVD: CNVD-2024-40408

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-40408

AFFECTED PRODUCTS

vendor:	totolink	model:	x5000r	scope:	eq	version:	9.1.0cu.2350_b20230313	Trust: 1.0
vendor:	totolink	model:	x5000r	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	x5000r	scope:	eq	version:	x5000r firmware 9.1.0cu.2350 b20230313	Trust: 0.8
vendor:	totolink	model:	x5000r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	x5000r v9.1.0cu.2350 b20230313	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2024-40408 // JVNDB: JVNDB-2024-021754 // NVD: CVE-2024-32352

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2024-32352
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2024-021754
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2024-40408
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-40408
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2024-32352
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2024-021754
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-40408 // JVNDB: JVNDB-2024-021754 // NVD: CVE-2024-32352

PROBLEMTYPE DATA

problemtype:	CWE-94	Trust: 1.0
problemtype:	Code injection (CWE-94) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-021754 // NVD: CVE-2024-32352

EXTERNAL IDS

db:	NVD	id:	CVE-2024-32352	Trust: 3.2
db:	JVNDB	id:	JVNDB-2024-021754	Trust: 0.8
db:	CNVD	id:	CNVD-2024-40408	Trust: 0.6

sources: CNVD: CNVD-2024-40408 // JVNDB: JVNDB-2024-021754 // NVD: CVE-2024-32352

REFERENCES

url:	https://github.com/1s1and123/vulnerabilities/blob/main/device/totolink/x5000r/totolink_x5000r_rce.md	Trust: 1.8
url:	https://www.totolink.net/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2024-32352	Trust: 1.4

sources: CNVD: CNVD-2024-40408 // JVNDB: JVNDB-2024-021754 // NVD: CVE-2024-32352

SOURCES

db:	CNVD	id:	CNVD-2024-40408
db:	JVNDB	id:	JVNDB-2024-021754
db:	NVD	id:	CVE-2024-32352

LAST UPDATE DATE

2025-04-11T23:16:22.247000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-40408	date:	2024-10-11T00:00:00
db:	JVNDB	id:	JVNDB-2024-021754	date:	2025-04-10T02:17:00
db:	NVD	id:	CVE-2024-32352	date:	2025-04-04T14:28:01.343

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-40408	date:	2024-10-11T00:00:00
db:	JVNDB	id:	JVNDB-2024-021754	date:	2025-04-10T00:00:00
db:	NVD	id:	CVE-2024-32352	date:	2024-05-14T16:17:03.113