// For flags

CVE-2023-4746

TOTOLINK N200RE V5 Validity_check format string

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability classified as critical has been found in TOTOLINK N200RE V5 9.3.5u.6437_B20230519. This affects the function Validity_check. The manipulation leads to format string. It is possible to initiate the attack remotely. The root-cause of the vulnerability is a format string issue. But the impact is to bypass the validation which leads to to OS command injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-238635.

Una vulnerabilidad clasificada como crítica se ha encontrado en TOTOLINK N200RE V5 9.3.5u.6437_B20230519. Esto afecta a la comprobación de validez. La manipulación conduce a formatear la cadena. Es posible iniciar el ataque de forma remota. La causa principal de la vulnerabilidad es un problema de cadena de formato. Pero el impacto es eludir la validación que conduce a la inyección de comandos del sistema operativo. El exploit ha sido divulgado al público y puede utilizarse. El identificador de esta vulnerabilidad es VDB-238635.

Es wurde eine Schwachstelle in TOTOLINK N200RE V5 9.3.5u.6437_B20230519 entdeckt. Sie wurde als kritisch eingestuft. Es betrifft die Funktion Validity_check. Dank Manipulation mit unbekannten Daten kann eine format string-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

*Credits: dmknght
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-09-03 CVE Reserved
  • 2023-09-04 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-08-02 First Exploit
  • 2024-09-10 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-134: Use of Externally-Controlled Format String
CAPEC
References (2)
URL Tag Source
https://vuldb.com/?id.238635 Technical Description
URL Date SRC
https://gist.github.com/dmknght/8f3b6aa65e9d08f45b5236c6e9ab8d80 2024-08-02
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Totolink
Search vendor "Totolink"
 N200re-v5 Firmware
Search vendor "Totolink" for product "N200re-v5 Firmware"
 9.3.5u.6437_b20230519
Search vendor "Totolink" for product "N200re-v5 Firmware" and version "9.3.5u.6437_b20230519"
-
Affected
in Totolink
Search vendor "Totolink"
 N200re-v5
Search vendor "Totolink" for product "N200re-v5"
--
Safe