CVE-2022-29395 – This vulnerability is a stack overflow in TOTOL... (How to Fix)

Q: What is the severity of CVE-2022-29395?

CVE-2022-29395 has a CVSS score of 9.8 (CRITICAL). This vulnerability is a stack overflow in TOTOLINK N600R routers that allows remote attackers to execute arbitrary code via the apcliKey parameter in the setWiFiRepeaterConfig function. Attackers can potentially take full control of affected devices. This affects users of TOTOLINK N600R routers with vulnerable firmware versions.

📋 TL;DR

This vulnerability is a stack overflow in TOTOLINK N600R routers that allows remote attackers to execute arbitrary code via the apcliKey parameter in the setWiFiRepeaterConfig function. Attackers can potentially take full control of affected devices. This affects users of TOTOLINK N600R routers with vulnerable firmware versions.

💻 Affected Systems

Products:

TOTOLINK N600R

Versions: V4.3.0cu.7647_B20210106 and likely earlier versions

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface. Devices with default configurations are vulnerable.

📦 What is this software?

N600r Firmware by Totolink

View all CVEs affecting N600r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and participation in botnets.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a foothold for further attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available on GitHub. Exploitation requires sending crafted HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

Check TOTOLINK official website for firmware updates. If available, download and install via web interface: Login > System Tools > Firmware Upgrade > Browse > Upload > Upgrade.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to the web management interface

Network Segmentation

all

Isolate vulnerable routers from critical network segments

🧯 If You Can't Patch

Replace vulnerable devices with supported models
Implement strict firewall rules blocking all inbound traffic to router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: Login > Status > Device Info. If version is V4.3.0cu.7647_B20210106 or earlier, device is likely vulnerable.

Check Version:

curl -s http://router-ip/status.asp | grep -i version

Verify Fix Applied:

Verify firmware version has been updated to a version later than V4.3.0cu.7647_B20210106

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /cgi-bin/cstecgi.cgi with large apcliKey parameter
Multiple failed authentication attempts followed by successful exploitation

Network Indicators:

Unusual outbound connections from router to unknown IPs
Traffic patterns indicating command and control communication

SIEM Query:

source="router-logs" AND (uri="/cgi-bin/cstecgi.cgi" AND method="POST" AND size>1000) OR (process="httpd" AND args CONTAINS "apcliKey")

📊 Metadata

CVE ID: CVE-2022-29395

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: May 10, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/d1tto/IoT-vuln/tree/main/Totolink/6.setWiFiRepeaterConfig Exploit,Third Party Advisory
https://github.com/d1tto/IoT-vuln/tree/main/Totolink/6.setWiFiRepeaterConfig Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29395, you might also want to check these: