PT-2022-17093 · Totolink Technology · Totolink T6 V3+1

Published

2022-02-18

Updated

2022-02-28

CVE-2022-25136

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions TOTOLINK Technology T6 V3 Firmware version T6 V3 V4.1.5cu.748 B20211015 TOTOLINK Technology T10 V2 Firmware version V4.1.8cu.5207 B20210320

Description A command injection issue in the meshSlaveUpdate function of TOTOLINK Technology routers allows attackers to execute arbitrary commands via a crafted MQTT packet.

Recommendations For TOTOLINK Technology T6 V3 Firmware version T6 V3 V4.1.5cu.748 B20211015, consider disabling the meshSlaveUpdate function until a patch is available. For TOTOLINK Technology T10 V2 Firmware version V4.1.8cu.5207 B20210320, consider disabling the meshSlaveUpdate function until a patch is available. As a temporary workaround, restrict access to the vulnerable function to minimize the risk of exploitation.

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2022-25136

Affected Products

Totolink T10 V2

Totolink T6 V3

PT-2022-17093 · Totolink Technology · Totolink T6 V3+1

CVE-2022-25136

Weakness Enumeration

Related Identifiers

Affected Products

References · 6