CVE-2022-28494 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2022-28494?

CVE-2022-28494 has a CVSS score of 9.8 (CRITICAL). This CVE describes a command injection vulnerability in TOTOLink CP900 outdoor CPE devices that allows attackers to execute arbitrary commands via the filename parameter in the setUpgradeFW function. Attackers can achieve remote code execution with high privileges. This affects all users of the vulnerable TOTOLink CP900 firmware version.

📋 TL;DR

This CVE describes a command injection vulnerability in TOTOLink CP900 outdoor CPE devices that allows attackers to execute arbitrary commands via the filename parameter in the setUpgradeFW function. Attackers can achieve remote code execution with high privileges. This affects all users of the vulnerable TOTOLink CP900 firmware version.

💻 Affected Systems

Products:

TOTOLink outdoor CPE CP900

Versions: V6.3c.566_B20171026

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web interface's firmware upgrade functionality. No special configuration is required for exploitation.

📦 What is this software?

Cp900 Firmware by Totolink

View all CVEs affecting Cp900 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, intercept traffic, or use the device as part of a botnet.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, and network reconnaissance.

🟢

If Mitigated

Limited impact if device is behind firewall with strict inbound rules and network segmentation.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication on internet-facing devices.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows complete device compromise and lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists in GitHub repositories. The exploit requires sending a crafted HTTP request to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

Check TOTOLink official website for firmware updates. If available, download the latest firmware and upload via the web interface's firmware upgrade section.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to the device's management interface using firewall rules

Disable Remote Management

all

Disable WAN-side access to the management interface if enabled

🧯 If You Can't Patch

Isolate the device in a separate VLAN with strict firewall rules preventing inbound connections
Implement network monitoring for suspicious traffic to/from the device

🔍 How to Verify

Check if Vulnerable:

Check firmware version in web interface: System Tools > Firmware Upgrade. If version is V6.3c.566_B20171026, device is vulnerable.

Check Version:

No CLI command available. Must check via web interface at System Tools > Firmware Upgrade

Verify Fix Applied:

Verify firmware version has been updated to a version newer than V6.3c.566_B20171026

📡 Detection & Monitoring

Log Indicators:

Unusual firmware upgrade attempts
HTTP requests to /cgi-bin/cstecgi.cgi with filename parameter containing shell metacharacters

Network Indicators:

HTTP POST requests to /cgi-bin/cstecgi.cgi with suspicious filename parameters
Outbound connections from device to unexpected destinations

SIEM Query:

http.method:POST AND http.uri:"/cgi-bin/cstecgi.cgi" AND http.post_data:*filename=* AND (http.post_data:*;* OR http.post_data:*|* OR http.post_data:*`* OR http.post_data:*$(*)

📊 Metadata

CVE ID: CVE-2022-28494

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: March 23, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/B2eFly/CVE/blob/main/totolink/CP900/5/5.md Exploit,Third Party Advisory
https://github.com/B2eFly/Router/blob/main/totolink/CP900/5/5.md Broken Link
https://github.com/B2eFly/CVE/blob/main/totolink/CP900/5/5.md Exploit,Third Party Advisory
https://github.com/B2eFly/Router/blob/main/totolink/CP900/5/5.md Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28494, you might also want to check these: