CVE-2022-25081

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions TOTOLink T10 version V5.9c.5061 B20200511

Description The issue is related to the lack of input data sanitization in the "Main" function of the TOTOLink T10 mesh system. This allows a remote attacker to execute arbitrary commands through the QUERY STRING parameter.

Recommendations For TOTOLink T10 version V5.9c.5061 B20200511, consider disabling the "Main" function until a patch is available to prevent exploitation via the QUERY STRING parameter. Avoid using the QUERY STRING parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

BDU:2022-04660

CVE-2022-25081

Affected Products

Totolink T10

CVE-2022-25081

Weakness Enumeration

Related Identifiers

Affected Products

References · 5