Command Injection Vulnerability in TOTOLink Outdoor CPE CP900 by TOTOLink
CVE-2022-28491

9.8CRITICAL

Key Information:

Vendor: Totolink
Status: Cp900 Firmware
Vendor: CVE Published:; 23 March 2023

What is CVE-2022-28491?

TOTOLink's outdoor CPE CP900 device is susceptible to a command injection flaw within the NTPSyncWithHost function. Attackers can exploit this vulnerability by submitting a specially crafted request that manipulates the host_name parameter, enabling them to execute arbitrary commands on the device. This poses a serious risk to network integrity and security, making it essential for users to apply necessary updates and safeguards to protect their systems from potential exploits.

References

https://github.com/B2eFly/Router/blob/main/totolink/CP900...

https://github.com/B2eFly/CVE/blob/main/totolink/CP900/2/...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2023
Vulnerability Reserved
Apr 4, 2022

Totolink

What is CVE-2022-28491?

References

CVSS V3.1

Timeline