CVE-2022-28495
Published: 24 March 2023
Summary
CVE-2022-28495 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink Cp900 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TOTOLink outdoor CPE CP900 running firmware version V6.3c.566_B20171026 contains an OS command injection vulnerability (CWE-78) in the setWebWlanIdx function. The flaw is triggered when the webWlanIdx parameter is supplied in a crafted HTTP request, allowing the device to execute attacker-controlled shell commands without any input sanitization.
Unauthenticated attackers with network access can exploit the issue remotely by sending a malicious request to the web management interface. Successful exploitation grants arbitrary command execution with full system privileges, corresponding to the CVSS 9.8 rating that reflects no required authentication or user interaction.
Public references consist solely of proof-of-concept disclosures on GitHub and do not include vendor advisories or patch information. The associated EPSS score has remained flat at 0.0671 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-32937
Vulnerability details
TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerability in the setWebWlanIdx function via the webWlanIdx parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.