CVE-2024-27521

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain an unauthenticated remote command execution (RCE) vulnerability via multiple parameters in the "setOpModeCfg" function. This security issue allows an attacker to take complete control of the device. In detail, exploitation allows unauthenticated, remote attackers to execute arbitrary system commands with administrative privileges (i.e., as user "root").

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/SpikeReply/advisories/blob/main/cve/totolink/cve-2024-27521.md	Third Party Advisory
https://m.totolink.net/portal/article/index/id/410.html	Product
https://github.com/SpikeReply/advisories/blob/main/cve/totolink/cve-2024-27521.md	Third Party Advisory
https://m.totolink.net/portal/article/index/id/410.html	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*

cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*

History

08 Apr 2025, 15:27

Type	Values Removed	Values Added
References	~~() https://github.com/SpikeReply/advisories/blob/main/cve/totolink/cve-2024-27521.md -~~	() https://github.com/SpikeReply/advisories/blob/main/cve/totolink/cve-2024-27521.md - Third Party Advisory
References	~~() https://m.totolink.net/portal/article/index/id/410.html -~~	() https://m.totolink.net/portal/article/index/id/410.html - Product
CPE		cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:::::::* cpe:2.3:h:totolink:a3300r:-:::::::*
First Time		Totolink Totolink a3300r Totolink a3300r Firmware

Information

Published : 2024-03-26 21:15

Updated : 2025-04-08 15:27

NVD link : CVE-2024-27521

Mitre link : CVE-2024-27521

CVE.ORG link : CVE-2024-27521

JSON object : View

Products Affected

totolink

a3300r_firmware
a3300r

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2024-27521", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}]}, "published": "2024-03-26T21:15:53.013", "references": [{"url": "https://github.com/SpikeReply/advisories/blob/main/cve/totolink/cve-2024-27521.md", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://m.totolink.net/portal/article/index/id/410.html", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://github.com/SpikeReply/advisories/blob/main/cve/totolink/cve-2024-27521.md", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://m.totolink.net/portal/article/index/id/410.html", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain an unauthenticated remote command execution (RCE) vulnerability via multiple parameters in the \"setOpModeCfg\" function. This security issue allows an attacker to take complete control of the device. In detail, exploitation allows unauthenticated, remote attackers to execute arbitrary system commands with administrative privileges (i.e., as user \"root\")."}, {"lang": "es", "value": "Se descubri\u00f3 que TOTOLINK A3300R V17.0.0cu.557_B20221024 contiene una vulnerabilidad de ejecuci\u00f3n remota de comandos (RCE) no autenticada a trav\u00e9s de m\u00faltiples par\u00e1metros en la funci\u00f3n \"setOpModeCfg\". Este problema de seguridad permite que un atacante tome el control total del dispositivo. En detalle, la explotaci\u00f3n permite a atacantes remotos no autenticados ejecutar comandos arbitrarios del sistema con privilegios administrativos (es decir, como usuario \"root\")."}], "lastModified": "2025-04-08T15:27:09.643", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD39B647-3419-4C6D-A6A2-30F40822A27D"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "7F723A73-4B32-4F9E-B5DA-80134D4711C1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}