CVE-2024-7171

MEDIUM

TOTOLINK A3600R 4.1.2cu.5182_B20201102 - OS Command Injection via NTPSyncWithHost hostTime Parameter

Title source: llm

Description

A vulnerability classified as critical has been found in TOTOLINK A3600R 4.1.2cu.5182_B20201102. Affected is the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument hostTime leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272592. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Third Party Advisory vdb-entry technical-description

https://vuldb.com/?id.272592

Third Party Advisory signature permissions-required

https://vuldb.com/?ctiid.272592

Third Party Advisory third-party-advisory

https://vuldb.com/?submit.378038

Exploit exploit

https://github.com/abcdefg-png/IoT-vulnerable/blob/main/TOTOLINK/A3600R/NTPSyncWithHost.md

Scores

CVSS v3 6.3

EPSS 0.0267

EPSS Percentile 86.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-78

Status published

Products (1)

totolink/a3600r_firmware 4.1.2cu.5182_b20201102

Published Jul 28, 2024

Tracked Since Feb 18, 2026