CVE-2023-31700
Published: 17 May 2023
Summary
CVE-2023-31700 is a high-severity Command Injection (CWE-77) vulnerability in Tp-Link Tl-Wpa4530 Kit Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TP-Link TL-WPA4530 KIT V2 devices running firmware versions (EU)_170406 and (EU)_161115 contain a command-injection vulnerability (CWE-77) reachable through the _httpRpmPlcDeviceAdd handler. The flaw permits an attacker to supply crafted input that is passed directly to a system command, resulting in arbitrary command execution on the affected powerline adapter.
An authenticated user with network access can exploit the issue without user interaction. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability of the device, consistent with the CVSS 8.8 rating.
The associated EPSS score stands at 0.1187 with no material increase after disclosure. Public technical details are limited to a single GitHub proof-of-concept report describing the injection point; no vendor advisory or firmware patch information is referenced in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-35995
Vulnerability details
TP-Link TL-WPA4530 KIT V2 (EU)_170406 and V2 (EU)_161115 is vulnerable to Command Injection via _httpRpmPlcDeviceAdd.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.