Cyber Resilience

CVE-2022-28495

CriticalPublic PoCRCE

Published: 24 March 2023

Published
24 March 2023
Modified
20 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0671 91.5th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-28495 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink Cp900 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

TOTOLink outdoor CPE CP900 running firmware version V6.3c.566_B20171026 contains an OS command injection vulnerability (CWE-78) in the setWebWlanIdx function. The flaw is triggered when the webWlanIdx parameter is supplied in a crafted HTTP request, allowing the device to execute attacker-controlled shell commands without any input sanitization.

Unauthenticated attackers with network access can exploit the issue remotely by sending a malicious request to the web management interface. Successful exploitation grants arbitrary command execution with full system privileges, corresponding to the CVSS 9.8 rating that reflects no required authentication or user interaction.

Public references consist solely of proof-of-concept disclosures on GitHub and do not include vendor advisories or patch information. The associated EPSS score has remained flat at 0.0671 with no material increase since disclosure.

EU & UK References

Vulnerability details

TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerability in the setWebWlanIdx function via the webWlanIdx parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
cp900 firmware
6.3c.566_b20171026

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References