CVE-2023-46977
Published: 31 October 2023
Summary
CVE-2023-46977 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Totolink Lr1200Gb Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TOTOLINK LR1200GB firmware version V9.1.0u.6619_B20230130 contains a stack-based buffer overflow in the loginAuth function triggered by the password parameter. The flaw is tracked as CVE-2023-46977 and assigned CWE-787, with a CVSS 3.1 base score of 9.8 reflecting network-accessible, unauthenticated exploitation that can result in full compromise of confidentiality, integrity, and availability.
An unauthenticated remote attacker can supply an oversized password value to the device's web login interface and overwrite the stack, enabling arbitrary code execution or denial of service. No authentication or user interaction is required, and the attack can be launched over the network with low complexity.
The EPSS score for this CVE has remained flat at 0.1113 since disclosure, indicating moderate but stable exploitation interest with no observed upward trajectory after publication. Public technical details are limited to researcher reports hosted on GitHub that describe the crash and proof-of-concept input.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-51135
Vulnerability details
TOTOLINK LR1200GB V9.1.0u.6619_B20230130 was discovered to contain a stack overflow via the password parameter in the function loginAuth.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.