Command Injection in TOTOLink N600R Router
CVE-2022-28906

9.8CRITICAL

Key Information:

Vendor: Totolink
Status: N600r Firmware
Vendor: CVE Published:; 10 May 2022

Summary

The TOTOLink N600R router has been identified to have a command injection vulnerability that can be exploited through the 'langtype' parameter in the '/setting/setLanguageCfg' endpoint. This flaw allows an attacker to send malicious input that could lead to the execution of arbitrary commands on the device. Addressing this vulnerability is crucial for maintaining the integrity and security of networked devices and preventing unauthorized access.

References

https://github.com/EPhaha/IOT_vuln/tree/main/TOTOLink/N60...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 10, 2022
Vulnerability Reserved
Apr 11, 2022