Cyber Resilience

CVE-2023-52040

CriticalPublic PoCRCE

Published: 24 January 2024

Published
24 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 28.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-52040 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X6000R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-52040 is a command injection vulnerability affecting the TOTOLINK X6000R wireless router running firmware version v9.4.0cu.852_B20230719. The flaw resides in the sub_41284C function and is tracked under CWE-77, enabling unauthenticated remote attackers to supply crafted input that results in arbitrary operating system command execution. It received a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.

An attacker with network access to the device can directly invoke the vulnerable function to execute arbitrary commands. Successful exploitation grants complete control over the router, allowing modification of configuration, interception of traffic, installation of persistent malware, or use of the device as a pivot point into attached networks.

The EPSS score for this CVE remained low immediately after disclosure but rose materially to a peak of 0.0727 on 2025-01-22 before receding to its current value of 0.0010, indicating a period of increased exploitation interest roughly one year after publication. Public references consist of technical write-ups hosted on GitHub that demonstrate the issue but contain no vendor advisory or patch information.

EU & UK References

Vulnerability details

An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_41284C function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

CVE-2023-52040 allows remote arbitrary command execution on the TOTOLINK X6000R router via a vulnerable function, enabling exploitation of public-facing applications (T1190), exploitation of remote services (T1210), and command/script execution on network device CLI (T1059.008).

Affected Assets

totolink
x6000r firmware
9.4.0cu.852_b20230719

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References