Command Injection Vulnerability in TOTOLINK EX300_V2
CVE-2022-32449

9.8CRITICAL

Key Information:

Vendor: Totolink
Status: Ex300 V2 Firmware
Vendor: CVE Published:; 7 July 2022

Summary

The TOTOLINK EX300_V2 version V4.0.3c.7484 is vulnerable to command injection through the 'langType' parameter in the 'setLanguageCfg' function. This security flaw could be exploited via a specially crafted MQTT data packet, allowing malicious actors to execute arbitrary commands on the vulnerable device, potentially compromising its integrity and functionality.

References

https://github.com/winmt/CVE/blob/main/TOTOLINK%20EX300_V...

https://github.com/winmt/my-vuls/tree/main/TOTOLINK%20EX3...

EPSS Score

33% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 7, 2022
Vulnerability Reserved
Jun 5, 2022