Command Injection Vulnerability in TOTOLink A800R Router
CVE-2022-25076

9.8CRITICAL

Key Information:

Vendor: Totolink
Status: A800r Firmware
Vendor: CVE Published:; 24 February 2022

Summary

A command injection vulnerability has been identified in the TOTOLink A800R Router with firmware version V4.1.2cu.5137_B20200730. This security flaw resides in the 'Main' function, enabling attackers to execute arbitrary commands by manipulating the QUERY_STRING parameter. Exploiting this vulnerability could lead to unauthorized access and potential control over the affected device, compromising network security. Users are urged to apply patches to secure their systems against possible attacks.

References

https://github.com/EPhaha/IOT_vuln/blob/main/TOTOLink/A80...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 24, 2022
Vulnerability Reserved
Feb 14, 2022