CVE-2023-51023

Name of the Vulnerable Software and Affected Versions TOTOlink EX1800T version 9.1.0cu.2112 B20220316

Description The issue concerns arbitrary command execution in the host time parameter of the NTPSyncWithHost interface of the cstecgi .cgi. This vulnerability exists due to the lack of measures to neutralize special elements used in the operating system command. Exploitation of this issue may allow a remote attacker to execute arbitrary commands using the host time parameter.

Recommendations For TOTOlink EX1800T version 9.1.0cu.2112 B20220316, consider disabling the host time parameter in the NTPSyncWithHost interface of the cstecgi .cgi as a temporary workaround until a patch is available. Restrict access to the NTPSyncWithHost interface to minimize the risk of exploitation. Avoid using the host time parameter in the affected interface until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.