CVE-2023-40042

Name of the Vulnerable Software and Affected Versions TOTOLINK T10 v2 version 5.9c.5061 B20200511

Description The issue is a stack-based buffer overflow in the setStaticDhcpConfig function located in /lib/cste modules/lan.so. Attackers can exploit this by sending crafted data in an MQTT packet, specifically via the comment parameter, to control the return address and potentially execute code.

Recommendations For TOTOLINK T10 v2 version 5.9c.5061 B20200511, as a temporary workaround, consider restricting access to the setStaticDhcpConfig function in /lib/cste modules/lan.so to minimize the risk of exploitation. Avoid using the comment parameter in MQTT packets until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.