Cyber Resilience

CVE-2023-46976

CriticalPublic PoCRCE

Published: 31 October 2023

Published
31 October 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0299 86.8th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-46976 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 13.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

TOTOLINK A3300R firmware version 17.0.0cu.557_B20221024 is affected by a command injection vulnerability tracked as CVE-2023-46976. The flaw resides in the UploadFirmwareFile function, where the file_name parameter is processed without adequate sanitization, corresponding to CWE-77. The issue carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.

An unauthenticated remote attacker can supply a crafted file_name value to the affected endpoint and execute arbitrary operating-system commands on the device. Successful exploitation grants full control over the router, enabling confidentiality, integrity, and availability impacts that include configuration changes, traffic interception, or persistent compromise of the network.

The associated EPSS score started low after the October 2023 disclosure, rose sharply to a peak of 0.5106 on 2025-01-22, and has since receded to 0.0299, indicating a period of heightened exploitation interest that later subsided. Public technical reports detailing the vulnerability are available but do not describe vendor patches or official mitigation steps.

EU & UK References

Vulnerability details

TOTOLINK A3300R 17.0.0cu.557_B20221024 contains a command injection via the file_name parameter in the UploadFirmwareFile function.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
a3300r firmware
17.0.0cu.557_b20221024

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References