TOTOLINK EX1200L setWanCfg os command injection
CVE-2023-4412

9.8CRITICAL

Key Information:

Vendor

TOTOLINK
Status
EX1200L
Vendor
CVE Published:
18 August 2023

What is CVE-2023-4412?

A security vulnerability has been identified in TOTOLINK EX1200L routers that allows for OS command injection via the setWanCfg function. This vulnerability can be exploited remotely, potentially allowing attackers to execute arbitrary commands on the affected device. The weakness was publicly disclosed, and the vendor has been made aware of it but did not provide a response. Users are encouraged to evaluate their risk and implement mitigation strategies to safeguard their networks from potential exploits.

Affected Version(s)

EX1200L EN_V9.3.5u.6146_B20201023

References

https://vuldb.com/?id.237515
vdb-entrytechnical-description
https://vuldb.com/?ctiid.237515
signaturepermissions-required
https://gist.github.com/dmknght/02a29e1c5ae18b45eacc2085d...
exploit

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

dmknght (VulDB User)
.
CVE-2023-4412 : TOTOLINK EX1200L setWanCfg os command injection