CVE-2022-26212

Name of the Vulnerable Software and Affected Versions Totolink A830R version 5.9c.4729 B20191112 Totolink A3100R version 4.1.2cu.5050 B20200504 Totolink A950RG version 4.1.2cu.5161 B20200903 Totolink A800R version 4.1.2cu.5137 B20200730 Totolink A3000RU version 5.9c.5185 B20201128 Totolink A810R version 4.1.2cu.5182 B20201026

Description The issue concerns a command injection vulnerability in the setDeviceName function, which can be exploited via the deviceMac and deviceName parameters. This allows attackers to execute arbitrary commands by sending a crafted request.

Recommendations For Totolink A830R version 5.9c.4729 B20191112, consider disabling the setDeviceName function until a patch is available. For Totolink A3100R version 4.1.2cu.5050 B20200504, restrict access to the deviceMac and deviceName parameters to minimize the risk of exploitation. For Totolink A950RG version 4.1.2cu.5161 B20200903, avoid using the deviceMac and deviceName parameters in the affected API endpoint until the issue is resolved. For Totolink A800R version 4.1.2cu.5137 B20200730, temporarily disable the setDeviceName function to prevent exploitation. For Totolink A3000RU version 5.9c.5185 B20201128, restrict the use of the deviceMac and deviceName parameters to prevent command injection. For Totolink A810R version 4.1.2cu.5182 B20201026, consider applying configuration changes to limit access to the setDeviceName function. At the moment, there is no information about a newer version that contains a fix for this vulnerability.