Login Sign Up

CVE-2022-28908

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on TOTOLink N600R routers via command injection in the ipdoamin parameter. Attackers can gain full control of affected devices, potentially compromising entire networks. Only TOTOLink N600R routers running specific vulnerable firmware are affected.

💻 Affected Systems

Products:
  • TOTOLink N600R
Versions: V5.3c.7159_B20190425
Operating Systems: Embedded Linux firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects web management interface accessible via LAN/WAN. No authentication bypass required.

📦 What is this software?

N600r Firmware by Totolink

View all CVEs affecting N600r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data exfiltration, lateral movement to other devices, and persistent backdoor installation.

🟠

Likely Case

Router compromise allowing traffic interception, DNS hijacking, credential theft, and use as attack platform against internal network.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices with direct WAN exposure.
🏢 Internal Only: MEDIUM - Internal exploitation possible if attacker gains network access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available in GitHub repositories. Simple HTTP POST request with crafted payload can trigger exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not publicly available

Restart Required: No

Instructions:

No official patch available. Check TOTOLink website for firmware updates. If unavailable, implement workarounds.

🔧 Temporary Workarounds

Network Access Restriction

linux

Block external access to router web interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Remote Management

all

Turn off WAN access to management interface in router settings

🧯 If You Can't Patch

  • Segment router on isolated network segment with strict firewall rules
  • Implement network monitoring for suspicious HTTP POST requests to /setting/setDiagnosisCfg

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Status or About page

Check Version:

curl -s http://router-ip/cgi-bin/luci/ | grep -i version

Verify Fix Applied:

Verify firmware version is newer than V5.3c.7159_B20190425

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /setting/setDiagnosisCfg with unusual ipdoamin parameter values
  • System logs showing unexpected command execution

Network Indicators:

  • HTTP traffic to router on port 80/443 containing shell metacharacters in POST data
  • Outbound connections from router to suspicious IPs

SIEM Query:

source="router_logs" AND uri="/setting/setDiagnosisCfg" AND (param="ipdoamin" AND value MATCHES "[;&|`$()]+")

📊 Metadata

CVE ID: CVE-2022-28908
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: May 10, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28908, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)