Cyber Resilience

CVE-2023-29801

CriticalPublic PoCRCE

Published: 14 April 2023

Published
14 April 2023
Modified
06 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1490 94.7th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29801 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X18 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

TOTOLINK X18 firmware version V9.1.0cu.2024_B20220329 contains multiple command-injection flaws in the setSyslogCfg function. Unauthenticated attackers can supply crafted values for the rtLogEnabled and rtLogServer parameters to execute arbitrary operating-system commands on the device. The issues are tracked as CVE-2023-29801, carry a CVSS 3.1 score of 9.8, and are classified under CWE-77.

Because the vulnerable function is reachable over the network without authentication or user interaction, an attacker who can reach the router’s management interface can obtain full control of the device, including the ability to read or modify configuration, capture traffic, or pivot into attached networks. The same access also permits persistent changes such as the installation of additional malware or the alteration of DNS and logging settings.

Public exploit details have been posted to Notion, yet no vendor advisory or firmware update addressing the flaws has been identified. The CVE’s EPSS score rose from a low baseline to a recorded peak of 0.2264, indicating measurable post-disclosure exploitation interest that warrants renewed attention from defenders.

EU & UK References

Vulnerability details

TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain multiple command injection vulnerabilities via the rtLogEnabled and rtLogServer parameters in the setSyslogCfg function.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
x18 firmware
9.1.0cu.2024_b20220329

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References