Cyber Resilience

CVE-2023-31700

HighPublic PoCRCE

Published: 17 May 2023

Published
17 May 2023
Modified
22 January 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1187 93.9th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-31700 is a high-severity Command Injection (CWE-77) vulnerability in Tp-Link Tl-Wpa4530 Kit Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

TP-Link TL-WPA4530 KIT V2 devices running firmware versions (EU)_170406 and (EU)_161115 contain a command-injection vulnerability (CWE-77) reachable through the _httpRpmPlcDeviceAdd handler. The flaw permits an attacker to supply crafted input that is passed directly to a system command, resulting in arbitrary command execution on the affected powerline adapter.

An authenticated user with network access can exploit the issue without user interaction. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability of the device, consistent with the CVSS 8.8 rating.

The associated EPSS score stands at 0.1187 with no material increase after disclosure. Public technical details are limited to a single GitHub proof-of-concept report describing the injection point; no vendor advisory or firmware patch information is referenced in the available sources.

EU & UK References

Vulnerability details

TP-Link TL-WPA4530 KIT V2 (EU)_170406 and V2 (EU)_161115 is vulnerable to Command Injection via _httpRpmPlcDeviceAdd.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tp-link
tl-wpa4530 kit firmware
161115, 170406

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References