Command Injection Vulnerability in TOTOLink A3100R by TOTOLink
CVE-2022-25077

9.8CRITICAL

Key Information:

Vendor: Totolink
Status: A3100r Firmware
Vendor: CVE Published:; 24 February 2022

Summary

A command injection flaw has been identified in TOTOLink A3100R firmware, specifically in the Main function. This vulnerability enables unauthorized attackers to execute arbitrary commands on the device by manipulating the QUERY_STRING parameter. Leveraging this vulnerability could lead to serious security compromises, allowing attackers to control the device's operations.

References

https://github.com/EPhaha/IOT_vuln/blob/main/TOTOLink/A31...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 24, 2022
Vulnerability Reserved
Feb 14, 2022