CVE-2022-28497
Published: 23 March 2023
Summary
CVE-2022-28497 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink Cp900 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 18.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
TOTOLink outdoor CPE CP900 version V6.3c.566_B20171026 contains a command injection vulnerability in the mtd_write_bootloader function. The flaw is triggered through the filename parameter and is tracked as CWE-77, carrying a CVSS 3.1 score of 9.8 that reflects network-accessible exploitation without authentication or user interaction.
An unauthenticated attacker can submit a crafted request to the affected device and achieve arbitrary command execution on the underlying system. Successful exploitation grants full control over the router firmware and configuration, enabling persistence, data exfiltration, or further lateral movement within the target network.
Public proof-of-concept code demonstrating the issue has been published on GitHub. The EPSS score rose from a low baseline to a peak of 0.0895 on 2025-01-22 before receding to the current value of 0.0154, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-32939
Vulnerability details
TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerability in the mtd_write_bootloader function via the filename parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.