CVE-2023-52039
Published: 24 January 2024
Summary
CVE-2023-52039 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X6000R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-52039 is a command injection vulnerability, tracked under CWE-77, that affects the TOTOLINK X6000R wireless router running firmware version v9.4.0cu.852_B20230719. The flaw resides in the sub_415AA4 function and permits unauthenticated remote attackers to execute arbitrary operating-system commands. It received a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.
An attacker with network access to the device can supply crafted input that reaches sub_415AA4, resulting in full control over the router. Successful exploitation grants the ability to read, modify, or delete data and to alter device behavior, satisfying the confidentiality, integrity, and availability impacts described in the CVSS vector.
The two provided references point to the same GitHub repository containing a technical write-up of the issue; neither reference nor the CVE record itself documents an official vendor advisory or patch.
EPSS for the CVE rose from a low baseline to a peak of 0.0727 on 2025-01-22 before receding to the current value of 0.0012, indicating a period of increased exploitation interest well after the January 2024 disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-56718
Vulnerability details
An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415AA4 function.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability in the TOTOLINK X6000R router's firmware (via sub_415AA4 function) enables exploitation of a public-facing web application for initial access (T1190), exploitation of remote services for code execution (T1210), and arbitrary Unix shell command execution (T1059.004).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.