CVE-2023-29800
Published: 14 April 2023
Summary
CVE-2023-29800 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X18 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TOTOLINK X18 firmware version V9.1.0cu.2024_B20220329 contains a command injection vulnerability in the UploadFirmwareFile function, where the FileName parameter is not properly sanitized. The flaw is tracked as CVE-2023-29800 with a CVSS 3.1 score of 9.8 and is classified under CWE-77.
An unauthenticated attacker with network access can supply a crafted FileName value to execute arbitrary operating-system commands on the device. Successful exploitation grants full control over confidentiality, integrity, and availability of the affected router without requiring user interaction or credentials.
The EPSS score for this CVE reached a peak of 0.2264 after disclosure and currently stands at 0.1490, indicating a material rise in predicted exploitation likelihood that warrants renewed attention from defenders. No vendor advisory or patch information is provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33338
Vulnerability details
TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the FileName parameter in the UploadFirmwareFile function.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.