CVE-2023-29798
Published: 14 April 2023
Summary
CVE-2023-29798 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X18 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TOTOLINK X18 firmware version V9.1.0cu.2024_B20220329 contains a command injection vulnerability in the setTracerouteCfg function, where the command parameter is processed without adequate sanitization. The flaw is tracked as CVE-2023-29798 and assigned CWE-77, with a CVSS 3.1 score of 9.8 reflecting network-accessible exploitation that requires no authentication or user interaction.
An unauthenticated attacker can supply a crafted command value over the network to the affected function, resulting in arbitrary command execution on the device. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability of the router.
The EPSS score for this CVE reached a peak of 0.2264 after disclosure before settling at a current value of 0.1490, indicating a measurable increase in exploitation interest following public release. No vendor advisory or patch information is provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33336
Vulnerability details
TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the command parameter in the setTracerouteCfg function.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.