CVE-2023-39617
Published: 21 August 2023
Summary
CVE-2023-39617 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X5000R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TOTOLINK X5000R routers running firmware versions V9.1.0cu.2089_B20211224 and V9.1.0cu.2350_B20230313 contain a remote code execution vulnerability in the setLanguageCfg function. The flaw is triggered by unsanitized input to the lang parameter and is tracked as CWE-77, resulting in a CVSS 3.1 score of 9.8 that reflects network-accessible command injection without authentication or user interaction.
An attacker with network reachability can submit a crafted lang value to the affected endpoint and obtain arbitrary command execution on the device. Successful exploitation grants full control over the router, allowing an adversary to read or modify configuration data, intercept traffic, or pivot into attached networks.
The two referenced disclosures consist of identical Notion pages that describe the issue but supply no vendor advisory, firmware update, or mitigation guidance. The associated EPSS score has remained flat at 0.0784 with no observable increase after publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-43326
Vulnerability details
TOTOLINK X5000R_V9.1.0cu.2089_B20211224 and X5000R_V9.1.0cu.2350_B20230313 were discovered to contain a remote code execution (RCE) vulnerability via the lang parameter in the setLanguageCfg function.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.