CVE-2022-26210

Name of the Vulnerable Software and Affected Versions TOTOLINK A800R version 4.1.2cu.5137 B20200730 TOTOLINK A810R version 4.1.2cu.5182 B20201026 TOTOLINK A830R version 5.9c.4729 B20191112 TOTOLINK A3000RU version 5.9c.5185 B20201128 TOTOLINK A3100R version 4.1.2cu.5050 B20200504 TOTOLINK A950RG version 4.1.2cu.5161 B20200903

Description The issue is related to the setUpgradeFW function in the firmware of TOTOLINK routers, which lacks input validation for the FileName parameter. This allows a remote attacker to execute arbitrary commands via a crafted request.

Recommendations For TOTOLINK A800R version 4.1.2cu.5137 B20200730, consider disabling the setUpgradeFW function until a patch is available. For TOTOLINK A810R version 4.1.2cu.5182 B20201026, restrict access to the setUpgradeFW function to minimize the risk of exploitation. For TOTOLINK A830R version 5.9c.4729 B20191112, avoid using the FileName parameter in the affected function until the issue is resolved. For TOTOLINK A3000RU version 5.9c.5185 B20201128, apply configuration changes to limit the impact of the vulnerability. For TOTOLINK A3100R version 4.1.2cu.5050 B20200504, consider implementing additional security measures to prevent command injection attacks. For TOTOLINK A950RG version 4.1.2cu.5161 B20200903, temporarily disable the setUpgradeFW function to prevent exploitation.