cbcvebase.
CVE-2024-34257
published 2024-05-08

CVE-2024-34257: TOTOLINK EX1800T V9.1.0cu.2112_B20220316 has a vulnerability in the apcliEncrypType parameter that allows unauthorized execution of arbitrary commands…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.85%
88.8th percentile
TOTOLINK EX1800T V9.1.0cu.2112_B20220316 has a vulnerability in the apcliEncrypType parameter that allows unauthorized execution of arbitrary commands, allowing an attacker to obtain device administrator privileges.

Affected

1 ranges
VendorProductVersion rangeFixed in
totolinkex1800t_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/cstecgi.cgi
command`id>../{{file}}.txt`
othertopicurl=setWiFiExtenderConfig
versionTOTOLINK EX1800T V9.1.0cu.2112_B20220316
sigma
regex: uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)
  • Detect POST requests to /cgi-bin/cstecgi.cgi with JSON body containing 'apcliEncrypType' and 'topicurl':'setWiFiExtenderConfig' — the injection point for CVE-2024-34257.
  • Alert on backtick-wrapped shell commands (command substitution) in the 'apcliEncrypType' JSON field, e.g. values matching the pattern `<cmd>`.
  • A successful exploit results in a text file written to the web root; monitor for unexpected .txt file creation under the web-accessible directory and subsequent GET requests retrieving them.
  • Exploit confirmation: HTTP 200 response body containing '"success": true' on the POST, followed by a response body matching uid=/gid= pattern on the GET, indicates successful RCE.
  • Use Shodan/FOFA/Google dorks to identify exposed TOTOLINK devices: http.title:"totolink", title="totolink", intitle:"totolink".
  • The vulnerability is unauthenticated — the token field is sent empty. Flag POST requests to setWiFiExtenderConfig with an empty or missing token.
  • ·The exploit requires no authentication (empty token), meaning no credentials are needed to trigger the command injection on affected firmware.
  • ·Only TOTOLINK EX1800T firmware version V9.1.0cu.2112_B20220316 is confirmed vulnerable; other versions are not specified as affected.
  • ·The EPSS score is 0.89615 (99.56th percentile), indicating very high likelihood of exploitation in the wild — prioritize detection and patching.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.