PT-2023-19445 · Totolink · Totolink T8

Published

2023-01-16

Updated

2025-03-26

CVE-2023-24157

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions TOTOLINK T8 version 4.1.5cu

Description A command injection issue exists in the serverIp parameter of the updateWifiInfo function, allowing attackers to execute arbitrary commands by sending a crafted MQTT packet.

Recommendations For TOTOLINK T8 version 4.1.5cu, consider restricting access to the updateWifiInfo function until a patch is available. As a temporary workaround, avoid using the serverIp parameter in the affected function to minimize the risk of exploitation.

Exploit

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

BDU:2025-04271

CVE-2023-24157

Affected Products

Totolink T8

PT-2023-19445 · Totolink · Totolink T8

CVE-2023-24157

Weakness Enumeration

Related Identifiers

Affected Products

References · 5