CVE-2023-46976
Published: 31 October 2023
Summary
CVE-2023-46976 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 13.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TOTOLINK A3300R firmware version 17.0.0cu.557_B20221024 is affected by a command injection vulnerability tracked as CVE-2023-46976. The flaw resides in the UploadFirmwareFile function, where the file_name parameter is processed without adequate sanitization, corresponding to CWE-77. The issue carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.
An unauthenticated remote attacker can supply a crafted file_name value to the affected endpoint and execute arbitrary operating-system commands on the device. Successful exploitation grants full control over the router, enabling confidentiality, integrity, and availability impacts that include configuration changes, traffic interception, or persistent compromise of the network.
The associated EPSS score started low after the October 2023 disclosure, rose sharply to a peak of 0.5106 on 2025-01-22, and has since receded to 0.0299, indicating a period of heightened exploitation interest that later subsided. Public technical reports detailing the vulnerability are available but do not describe vendor patches or official mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-51134
Vulnerability details
TOTOLINK A3300R 17.0.0cu.557_B20221024 contains a command injection via the file_name parameter in the UploadFirmwareFile function.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.