CVE-2023-46992

Name of the Vulnerable Software and Affected Versions TOTOLINK A3300R version 17.0.0cu.557 B20221024

Description The issue is related to incorrect access control, allowing attackers to reset critical passwords without authentication by visiting specific pages, such as /wizard.html or /phone/wizard.html. This can enable a remote attacker to bypass security restrictions and change the WiFi password.

Recommendations For TOTOLINK A3300R version 17.0.0cu.557 B20221024, consider restricting access to the /wizard.html and /phone/wizard.html pages until a patch is available. As a temporary workaround, limit the ability to reset critical passwords without proper authentication to minimize the risk of exploitation.