CVE-2022-32449
Published: 07 July 2022
Summary
CVE-2022-32449 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink Ex300 V2 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TOTOLINK EX300_V2 version V4.0.3c.7484 contains a command injection vulnerability in the setLanguageCfg function, where the langType parameter fails to sanitize input received via MQTT. The flaw is tracked as CVE-2022-32449, carries a CVSS 3.1 score of 9.8, and is classified under CWE-77.
An unauthenticated attacker with network access can exploit the issue by transmitting a crafted MQTT data packet that injects operating-system commands. Successful exploitation grants the attacker the ability to execute arbitrary code with the privileges of the affected process, resulting in full confidentiality, integrity, and availability impact on the device.
Public references consist solely of proof-of-concept repositories demonstrating the MQTT-based injection; no vendor advisory or patch information is provided in the available sources. The associated EPSS score has remained essentially flat near 0.13 with only minimal variation between its recorded peak and current value.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-35521
Vulnerability details
TOTOLINK EX300_V2 V4.0.3c.7484 was discovered to contain a command injection vulnerability via the langType parameter in the setLanguageCfg function. This vulnerability is exploitable via a crafted MQTT data packet.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.