CVE-2022-48113 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2022-48113?

CVE-2022-48113 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to access the telnet service on TOTOLINK N200RE_v5 routers via a crafted POST request, then gain root access using hardcoded credentials. It affects users of specific TOTOLINK router firmware versions. The CVSS 9.8 score indicates critical severity.

📋 TL;DR

This vulnerability allows unauthenticated attackers to access the telnet service on TOTOLINK N200RE_v5 routers via a crafted POST request, then gain root access using hardcoded credentials. It affects users of specific TOTOLINK router firmware versions. The CVSS 9.8 score indicates critical severity.

💻 Affected Systems

Products:

TOTOLINK N200RE_v5 router

Versions: Firmware V9.3.5u.6139

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration with telnet service enabled and hardcoded credentials present.

📦 What is this software?

N200re V5 Firmware by Totolink

View all CVEs affecting N200re V5 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router with root access, enabling attackers to intercept all network traffic, install persistent malware, pivot to internal networks, or brick the device.

🟠

Likely Case

Attackers gain root access to the router, allowing them to monitor network traffic, modify DNS settings, or use the device as a foothold for further attacks.

🟢

If Mitigated

If telnet is disabled and proper network segmentation exists, impact is limited to denial of service if the router is accessible.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing, and the exploit requires no authentication, making them easy targets for automated attacks.

🏢 Internal Only: MEDIUM - If routers are only accessible internally, risk is reduced but still significant due to hardcoded credentials and unauthenticated access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a crafted POST request to trigger telnet access, then using hardcoded credentials. Public blog posts detail the exploit methodology.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not found in provided references

Restart Required: No

Instructions:

Check TOTOLINK website for firmware updates. If available, download and flash the updated firmware following vendor instructions.

🔧 Temporary Workarounds

Disable telnet service

all

Prevent telnet access by disabling the service through router administration interface

Block telnet port at firewall

linux

Configure network firewall to block incoming connections to port 23 (telnet)

iptables -A INPUT -p tcp --dport 23 -j DROP

🧯 If You Can't Patch

Isolate affected routers in a separate VLAN with strict access controls
Implement network monitoring for telnet connection attempts and unusual POST requests

🔍 How to Verify

Check if Vulnerable:

Attempt to access telnet service on port 23 after sending a crafted POST request to the router's web interface, then try root login with hardcoded credentials.

Check Version:

Check router web interface or use 'cat /proc/version' via SSH/telnet if accessible

Verify Fix Applied:

Verify telnet service is not accessible on port 23 and that the POST request no longer triggers telnet access.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to router web interface
Telnet connection attempts from unexpected sources
Root login attempts via telnet

Network Indicators:

Telnet traffic (port 23) to routers
Crafted HTTP POST requests to router management interfaces

SIEM Query:

source="router_logs" AND (event="POST_request" OR event="telnet_connection")

📊 Metadata

CVE ID: CVE-2022-48113

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: February 2, 2023

Last Updated: March 26, 2025

🔗 References

https://wefir.blogspot.com/2022/12/totolink-n200rev5-telnet-backdoor.html Exploit,Third Party Advisory
https://wefir.blogspot.com/2022/12/totolink-n200rev5-telnet-backdoor.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-48113, you might also want to check these: