CVE-2023-48800

Name of the Vulnerable Software and Affected Versions TOTOLINK X6000R version V9.4.0cu.852 B20230719

Description The issue is related to errors in the code of the TOTOLINK X6000R router's firmware, specifically in the sub 417338 function. This function obtains fields from the front-end, connects them through the snprintf function, and passes them to the CsteSystem function, resulting in a command execution issue. Exploitation of this issue may allow a remote attacker to execute arbitrary code.

Recommendations For TOTOLINK X6000R version V9.4.0cu.852 B20230719, as a temporary workaround, consider disabling the sub 417338 function until a patch is available. Restrict access to the shttpd file to minimize the risk of exploitation. Avoid using the snprintf function in conjunction with user-inputted fields in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.