Command Injection Vulnerability in TOTOLink Outdoor CPE CP900
CVE-2022-28495

9.8CRITICAL

Key Information:

Vendor: Totolink
Status: Cp900 Firmware
Vendor: CVE Published:; 24 March 2023

Summary

The TOTOLink outdoor CPE CP900, specifically the version V6.3c.566_B20171026, is susceptible to a command injection vulnerability in the setWebWlanIdx function. This issue arises due to improper validation of the webWlanIdx parameter, enabling attackers to send specially crafted requests that could lead to the execution of arbitrary commands on the device. Organizations using affected devices should evaluate their systems and implement appropriate security measures to mitigate any potential risks.

References

https://github.com/B2eFly/Router/blob/main/totolink/CP900...

https://github.com/B2eFly/CVE/blob/main/totolink/CP900/3/...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 24, 2023
Vulnerability Reserved
Apr 4, 2022

Collectors

NVD DatabaseMitre Database