Cyber Resilience

CVE-2023-31856

CriticalPublic PoCRCE

Published: 16 May 2023

Published
16 May 2023
Modified
23 January 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2260 96.0th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-31856 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink Cp300\+ Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A command injection vulnerability tracked as CVE-2023-31856 affects the TOTOLINK CP300+ router running firmware version V5.2cu.7594_B20200910. The flaw resides in the hostTime parameter of the NTPSyncWithHost function and stems from insufficient input sanitization, enabling an attacker to supply a crafted HTTP request that results in arbitrary command execution on the device.

The vulnerability can be exploited remotely by unauthenticated attackers over the network. Successful exploitation grants full control over the affected router, allowing arbitrary command execution with impacts on confidentiality, integrity, and availability as reflected in its CVSS 9.8 score.

The two provided references point to a GitHub repository containing technical details of the issue but do not include vendor advisories, patches, or mitigation guidance. The EPSS score stands at 0.2260 with no indicated rise from a lower baseline.

EU & UK References

Vulnerability details

A command injection vulnerability in the hostTime parameter in the function NTPSyncWithHostof TOTOLINK CP300+ V5.2cu.7594_B20200910 allows attackers to execute arbitrary commands via a crafted http packet.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
cp300\+ firmware
5.2cu.7594_b20200910

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References