CVE-2022-28491

Vulnerability

TOTOLink outdoor CPE CP900 firmware version V6.3c.566_B20171026 contains a command injection vulnerability in the NTPSyncWithHost function. The host_name parameter (also referred to as host_time in the advisory [1]) is not sanitized before being used in a system command, allowing an attacker to inject arbitrary OS commands. The vulnerable firmware is identified by build TOTOLINK_C8B810C-1A_CP900_CP0016_QCA9531_SPI_16M128M_V6.3c.566_B20171026_ALL.web [1].

Exploitation

An attacker must be able to send a crafted HTTP request to the affected device's management interface. No authentication is required if the management interface is exposed. By providing a malicious payload in the host_name parameter (e.g., appending shell metacharacters and commands), the attacker can trigger command execution. The advisory provides a proof-of-concept demonstrating the injection [1].

Impact

Successful exploitation allows remote, unauthenticated attackers to execute arbitrary operating system commands with the privileges of the web server (typically root on embedded devices). This leads to full compromise of the device, including the ability to modify configurations, exfiltrate data, or use the device as a pivot point for further attacks.

Mitigation

As of the publication date (2023-03-23), the vendor has not released a patched firmware version. Users should restrict management interface access to trusted networks, disable remote administration if not required, and monitor for any official firmware updates from TOTOLink.