CVE-2022-28497

Name of the Vulnerable Software and Affected Versions TOTOLink outdoor CPE CP900 version 6.3c.566 B20171026

Description The issue is related to a command injection vulnerability in the mtd write bootloader function via the filename parameter. This allows attackers to execute arbitrary commands via a crafted request.

Recommendations For TOTOLink outdoor CPE CP900 version 6.3c.566 B20171026, as a temporary workaround, consider restricting access to the mtd write bootloader function until a patch is available. Additionally, avoid using the filename parameter in crafted requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.