CVE-2024-28404 is a stored Cross-site Scripting (XSS) vulnerability identified in the TOTOLINK X2000R router models prior to firmware version V1.0.0-B20231213.1013. The vulnerability resides specifically in the MAC Filtering functionality within the Firewall configuration page. Stored XSS means that malicious JavaScript code can be injected by an attacker into the router’s web interface and persist in the device’s configuration. When an authenticated user accesses the affected page, the malicious script executes in their browser context. This can lead to session hijacking, unauthorized actions on behalf of the user, or further compromise of the router’s administrative interface. The CVSS 3.1 vector (AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H) indicates that the attack requires network access (remote but within the local network or VPN), low attack complexity, no privileges but requires user interaction, and the vulnerability affects confidentiality, integrity, and availability with a scope change (compromise beyond the initially vulnerable component). Although no public exploits are currently known, the vulnerability’s presence in a widely deployed consumer and small business router model makes it a significant threat. The CWE-79 classification confirms it as a classic XSS issue. The lack of an official patch link suggests that users must monitor vendor updates closely. The vulnerability can be exploited by tricking an authenticated user into visiting a malicious page or by an attacker with local network access injecting payloads into the MAC filtering list.

The impact of CVE-2024-28404 is substantial for organizations using TOTOLINK X2000R routers, especially in environments where these devices manage firewall rules and network access controls. Successful exploitation can lead to unauthorized administrative actions, session hijacking, and potential full compromise of the router’s management interface. This can result in network traffic interception, redirection, or disruption, severely affecting availability and confidentiality. The vulnerability’s stored nature means the malicious payload persists, increasing the risk of repeated exploitation. Organizations relying on these routers for perimeter defense or internal segmentation may face elevated risks of lateral movement by attackers. Additionally, compromised routers can serve as footholds for further network intrusion or as part of botnets. The requirement for user interaction limits remote exploitation but does not eliminate risk, especially in environments with many users or where social engineering is feasible.

To mitigate CVE-2024-28404, organizations should immediately restrict access to the router’s web management interface to trusted administrators only, preferably via secure VPN or isolated management VLANs. Disable remote management if not required. Monitor and audit the MAC Filtering entries for suspicious or unexpected entries that could contain malicious scripts. Apply the firmware update to version V1.0.0-B20231213.1013 or later as soon as it becomes available from TOTOLINK to remediate the vulnerability. In the interim, educate users about the risks of interacting with untrusted links or pages that could trigger the XSS payload. Employ network segmentation to limit exposure of management interfaces. Consider deploying web application firewalls or intrusion detection systems that can detect and block XSS payloads targeting the router’s interface. Regularly review router logs for anomalous activity indicative of exploitation attempts.