Cyber Resilience

CVE-2023-52038

CriticalPublic PoCRCE

Published: 24 January 2024

Published
24 January 2024
Modified
30 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-52038 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X6000R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-52038 is a command injection vulnerability, tracked under CWE-77, that affects the TOTOLINK X6000R router running firmware version 9.4.0cu.852_B20230719. The flaw resides in the sub_415C80 function and permits unauthenticated attackers to execute arbitrary operating-system commands. It received a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability.

An attacker with network reachability to the device can supply crafted input that reaches sub_415C80, resulting in immediate command execution and complete device compromise. No authentication or special privileges are needed, enabling remote takeover of affected routers.

The EPSS score for this CVE rose materially from a low baseline near 0.0012 to a peak of 0.0727 on 2025-01-22 before receding, indicating that exploitation interest surfaced after public disclosure. Public references consist of a GitHub repository containing technical details of the issue.

EU & UK References

Vulnerability details

An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415C80 function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Command injection vulnerability (CVE-2023-52038) in TOTOLINK X6000R router firmware allows remote arbitrary command execution via a vulnerable function, enabling exploitation of a public-facing network device application.

Affected Assets

totolink
x6000r firmware
9.4.0cu.852_b20230719

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References