Cyber Resilience

CVE-2023-52039

CriticalPublic PoCRCE

Published: 24 January 2024

Published
24 January 2024
Modified
30 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-52039 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X6000R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-52039 is a command injection vulnerability, tracked under CWE-77, that affects the TOTOLINK X6000R wireless router running firmware version v9.4.0cu.852_B20230719. The flaw resides in the sub_415AA4 function and permits unauthenticated remote attackers to execute arbitrary operating-system commands. It received a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.

An attacker with network access to the device can supply crafted input that reaches sub_415AA4, resulting in full control over the router. Successful exploitation grants the ability to read, modify, or delete data and to alter device behavior, satisfying the confidentiality, integrity, and availability impacts described in the CVSS vector.

The two provided references point to the same GitHub repository containing a technical write-up of the issue; neither reference nor the CVE record itself documents an official vendor advisory or patch.

EPSS for the CVE rose from a low baseline to a peak of 0.0727 on 2025-01-22 before receding to the current value of 0.0012, indicating a period of increased exploitation interest well after the January 2024 disclosure.

EU & UK References

Vulnerability details

An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415AA4 function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The command injection vulnerability in the TOTOLINK X6000R router's firmware (via sub_415AA4 function) enables exploitation of a public-facing web application for initial access (T1190), exploitation of remote services for code execution (T1210), and arbitrary Unix shell command execution (T1059.004).

Affected Assets

totolink
x6000r firmware
9.4.0cu.852_b20230719

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References