PT-2023-12946 · Totolink · Totolink Outdoor Cpe Cp900
Published
2023-03-23
·
Updated
2023-08-08
·
CVE-2022-28494
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
TOTOLink outdoor CPE CP900 version 6.3c.566 B20171026
Description
A command injection issue exists in the
setUpgradeFW function via the filename parameter, allowing attackers to execute arbitrary commands through a crafted request.Recommendations
For version 6.3c.566 B20171026, consider restricting access to the
setUpgradeFW function until a patch is available, and avoid using the filename parameter in the affected API endpoint to minimize the risk of exploitation.Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Totolink Outdoor Cpe Cp900