Details of VAR-202409-0140

ID

VAR-202409-0140

CVE

CVE-2024-8574

TITLE

TOTOLINK of T8 in the firmware OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2024-007663

DESCRIPTION

A vulnerability has been found in TOTOLINK AC1200 T8 4.1.5cu.861_B20230220 and classified as critical. This vulnerability affects the function setParentalRules of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument slaveIpList leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK of T8 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK AC1200 T8 is a wireless router that supports dual-band Wi-Fi at 1200Mbps and is suitable for home or small office scenarios. The slaveIpList parameter is not properly input validated. An attacker can exploit this vulnerability to completely control the router device

Trust: 2.16

sources: NVD: CVE-2024-8574 // JVNDB: JVNDB-2024-007663 // CNVD: CNVD-2025-13893

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-13893

AFFECTED PRODUCTS

vendor:	totolink	model:	t8	scope:	eq	version:	4.1.5cu.861_b20230220	Trust: 1.0
vendor:	totolink	model:	t8	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	t8	scope:	eq	version:	t8 firmware 4.1.5cu.861 b20230220	Trust: 0.8
vendor:	totolink	model:	t8	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	ac1200 t8 4.1.5cu.861 b20230220	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-13893 // JVNDB: JVNDB-2024-007663 // NVD: CVE-2024-8574

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2024-8574
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2024-8574
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2024-007663
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2025-13893
value:	MEDIUM
Trust: 0.6

cna@vuldb.com:	CVE-2024-8574
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2024-007663
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2025-13893
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2024-8574
baseSeverity:	MEDIUM
baseScore:	6.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	3.4
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2024-8574
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2024-007663
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-13893 // JVNDB: JVNDB-2024-007663 // NVD: CVE-2024-8574 // NVD: CVE-2024-8574

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-007663 // NVD: CVE-2024-8574

EXTERNAL IDS

db:	NVD	id:	CVE-2024-8574	Trust: 3.2
db:	VULDB	id:	276808	Trust: 2.4
db:	JVNDB	id:	JVNDB-2024-007663	Trust: 0.8
db:	CNVD	id:	CNVD-2025-13893	Trust: 0.6

sources: CNVD: CNVD-2025-13893 // JVNDB: JVNDB-2024-007663 // NVD: CVE-2024-8574

REFERENCES

url:	https://vuldb.com/?id.276808	Trust: 2.4
url:	https://vuldb.com/?submit.401289	Trust: 2.4
url:	https://github.com/abcdefg-png/iot-vulnerable/blob/main/totolink/ac1200t8/setupgradefw.md	Trust: 2.4
url:	https://www.totolink.net/	Trust: 2.4
url:	https://vuldb.com/?ctiid.276808	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2024-8574	Trust: 0.8

sources: CNVD: CNVD-2025-13893 // JVNDB: JVNDB-2024-007663 // NVD: CVE-2024-8574

SOURCES

db:	CNVD	id:	CNVD-2025-13893
db:	JVNDB	id:	JVNDB-2024-007663
db:	NVD	id:	CVE-2024-8574

LAST UPDATE DATE

2025-06-29T22:51:23.184000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-13893	date:	2025-06-27T00:00:00
db:	JVNDB	id:	JVNDB-2024-007663	date:	2024-09-10T01:30:00
db:	NVD	id:	CVE-2024-8574	date:	2024-09-09T18:47:10.577

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-13893	date:	2025-06-27T00:00:00
db:	JVNDB	id:	JVNDB-2024-007663	date:	2024-09-10T00:00:00
db:	NVD	id:	CVE-2024-8574	date:	2024-09-08T11:15:10.430