Command Execution Vulnerability in TOTOLINK X6000R Router
CVE-2023-48811

9.8CRITICAL

Key Information:

Vendor: Totolink
Status: X6000r Firmware
Vendor: CVE Published:; 30 November 2023

Summary

A vulnerability in the TOTOLINK X6000R router allows an attacker to execute arbitrary commands through the malformed handling of input fields in the shttpd file. The flaw arises from the sub_4119A0 function improperly utilizing the Uci_Set_Str function which is subsequently passed to the CsteSystem function, enabling unauthorized command execution on the device. This could lead to unauthorized access and potential exposure of sensitive information.

References

https://www.notion.so/X6000R-sub_4119A0-8-2332305e3d8044c...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 30, 2023
Vulnerability Reserved
Nov 20, 2023