TOTOLINK EX1200L setTracerouteCfg os command injection
CVE-2023-4411

9.8CRITICAL

Key Information:

Vendor

TOTOLINK
Status
EX1200L
Vendor
CVE Published:
18 August 2023

What is CVE-2023-4411?

A serious OS command injection vulnerability has been identified in the TOTOLINK EX1200L device, specifically affecting the setTracerouteCfg function. This flaw allows unauthorized users to execute arbitrary commands on the device remotely. The vulnerability has been publicly disclosed, and exploitation is feasible due to a lack of response from the vendor upon notification. Users are urged to secure their devices to prevent potential exploitation.

Affected Version(s)

EX1200L EN_V9.3.5u.6146_B20201023

References

https://vuldb.com/?id.237514
vdb-entrytechnical-description
https://vuldb.com/?ctiid.237514
signaturepermissions-required
https://gist.github.com/dmknght/02a29e1c5ae18b45eacc2085d...
exploit

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

dmknght (VulDB User)
.
CVE-2023-4411 : TOTOLINK EX1200L setTracerouteCfg os command injection