CVE-2023-29801
Published: 14 April 2023
Summary
CVE-2023-29801 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X18 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TOTOLINK X18 firmware version V9.1.0cu.2024_B20220329 contains multiple command-injection flaws in the setSyslogCfg function. Unauthenticated attackers can supply crafted values for the rtLogEnabled and rtLogServer parameters to execute arbitrary operating-system commands on the device. The issues are tracked as CVE-2023-29801, carry a CVSS 3.1 score of 9.8, and are classified under CWE-77.
Because the vulnerable function is reachable over the network without authentication or user interaction, an attacker who can reach the router’s management interface can obtain full control of the device, including the ability to read or modify configuration, capture traffic, or pivot into attached networks. The same access also permits persistent changes such as the installation of additional malware or the alteration of DNS and logging settings.
Public exploit details have been posted to Notion, yet no vendor advisory or firmware update addressing the flaws has been identified. The CVE’s EPSS score rose from a low baseline to a recorded peak of 0.2264, indicating measurable post-disclosure exploitation interest that warrants renewed attention from defenders.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33339
Vulnerability details
TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain multiple command injection vulnerabilities via the rtLogEnabled and rtLogServer parameters in the setSyslogCfg function.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.