CVE-2023-31856
Published: 16 May 2023
Summary
CVE-2023-31856 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink Cp300\+ Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A command injection vulnerability tracked as CVE-2023-31856 affects the TOTOLINK CP300+ router running firmware version V5.2cu.7594_B20200910. The flaw resides in the hostTime parameter of the NTPSyncWithHost function and stems from insufficient input sanitization, enabling an attacker to supply a crafted HTTP request that results in arbitrary command execution on the device.
The vulnerability can be exploited remotely by unauthenticated attackers over the network. Successful exploitation grants full control over the affected router, allowing arbitrary command execution with impacts on confidentiality, integrity, and availability as reflected in its CVSS 9.8 score.
The two provided references point to a GitHub repository containing technical details of the issue but do not include vendor advisories, patches, or mitigation guidance. The EPSS score stands at 0.2260 with no indicated rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-36146
Vulnerability details
A command injection vulnerability in the hostTime parameter in the function NTPSyncWithHostof TOTOLINK CP300+ V5.2cu.7594_B20200910 allows attackers to execute arbitrary commands via a crafted http packet.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.