CVE-2022-28495

Vulnerability

The TOTOLink outdoor CPE CP900 firmware version V6.3c.566_B20171026 contains a command injection vulnerability in the setWebWlanIdx function via the webWlanIdx parameter. The function fails to sanitize user-supplied input, allowing an attacker to inject arbitrary system commands. Affected versions include V6.3c.566_B20171026 and possibly earlier ones [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint, passing malicious command strings in the webWlanIdx parameter. No authentication is required if the device's web interface is exposed. The attacker must have network access to the device's management interface [1].

Impact

Successful exploitation grants the attacker arbitrary command execution with root privileges on the device. This can lead to full compromise of the device, including data exfiltration, installation of malware, or use of the device as a pivot for further attacks [1].

Mitigation

As of the publication date (March 2023), no official patch or firmware update has been released by TOTOLink to address this vulnerability. Users should restrict access to the web interface to trusted networks and monitor for vendor updates. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].