Cyber Resilience

CVE-2023-46977

CriticalPublic PoC

Published: 31 October 2023

Published
31 October 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1113 93.6th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-46977 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Totolink Lr1200Gb Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

TOTOLINK LR1200GB firmware version V9.1.0u.6619_B20230130 contains a stack-based buffer overflow in the loginAuth function triggered by the password parameter. The flaw is tracked as CVE-2023-46977 and assigned CWE-787, with a CVSS 3.1 base score of 9.8 reflecting network-accessible, unauthenticated exploitation that can result in full compromise of confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply an oversized password value to the device's web login interface and overwrite the stack, enabling arbitrary code execution or denial of service. No authentication or user interaction is required, and the attack can be launched over the network with low complexity.

The EPSS score for this CVE has remained flat at 0.1113 since disclosure, indicating moderate but stable exploitation interest with no observed upward trajectory after publication. Public technical details are limited to researcher reports hosted on GitHub that describe the crash and proof-of-concept input.

EU & UK References

Vulnerability details

TOTOLINK LR1200GB V9.1.0u.6619_B20230130 was discovered to contain a stack overflow via the password parameter in the function loginAuth.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
lr1200gb firmware
9.1.0u.6619_b20230130

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References