Command Injection Vulnerability in TOTOLink Outdoor CPE CP900 by TOTOLink
CVE-2022-28491

9.8CRITICAL

Key Information:

Vendor: Totolink
Status: Cp900 Firmware
Vendor: CVE Published:; 23 March 2023

Summary

TOTOLink's outdoor CPE CP900 device is susceptible to a command injection flaw within the NTPSyncWithHost function. Attackers can exploit this vulnerability by submitting a specially crafted request that manipulates the host_name parameter, enabling them to execute arbitrary commands on the device. This poses a serious risk to network integrity and security, making it essential for users to apply necessary updates and safeguards to protect their systems from potential exploits.

References

https://github.com/B2eFly/Router/blob/main/totolink/CP900...

https://github.com/B2eFly/CVE/blob/main/totolink/CP900/2/...

EPSS Score

1% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 23, 2023
Vulnerability Reserved
Apr 4, 2022

Collectors

NVD DatabaseMitre Database