Cyber Resilience

CVE-2022-32449

CriticalPublic PoCRCE

Published: 07 July 2022

Published
07 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1330 94.3th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-32449 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink Ex300 V2 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

TOTOLINK EX300_V2 version V4.0.3c.7484 contains a command injection vulnerability in the setLanguageCfg function, where the langType parameter fails to sanitize input received via MQTT. The flaw is tracked as CVE-2022-32449, carries a CVSS 3.1 score of 9.8, and is classified under CWE-77.

An unauthenticated attacker with network access can exploit the issue by transmitting a crafted MQTT data packet that injects operating-system commands. Successful exploitation grants the attacker the ability to execute arbitrary code with the privileges of the affected process, resulting in full confidentiality, integrity, and availability impact on the device.

Public references consist solely of proof-of-concept repositories demonstrating the MQTT-based injection; no vendor advisory or patch information is provided in the available sources. The associated EPSS score has remained essentially flat near 0.13 with only minimal variation between its recorded peak and current value.

EU & UK References

Vulnerability details

TOTOLINK EX300_V2 V4.0.3c.7484 was discovered to contain a command injection vulnerability via the langType parameter in the setLanguageCfg function. This vulnerability is exploitable via a crafted MQTT data packet.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
ex300 v2 firmware
4.0.3c.7484

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References