Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-46574Command Injection in A3700r Firmware

CWE-77Command Injection5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
93.5%
top 0.17%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Totolink A3700r Firmware
Timeline
PublishedOct 25

Description

An issue in TOTOLINK A3700R v.9.1.2u.6165_20211012 allows a remote attacker to execute arbitrary code via the FileName parameter of the UploadFirmwareFile function.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDtotolink/a3700r_firmware9.1.2u.6165_20211012

🔴Vulnerability Details

3
GHSA
GHSA-5xgm-7mgw-vcg3: An issue in TOTOLINK A3700R v2023-10-25
CVEList
CVE-2023-46574: An issue in TOTOLINK A3700R v2023-10-24
VulnCheck
totolink a3700r_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')2023

💥Exploits & PoCs

1
Nuclei
TOTOLINK A3700R - Command Injection
CVE-2023-46574 — Command Injection in A3700r Firmware | cvebase