CVE-2023-24138 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2023-24138?

CVE-2023-24138 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary commands on TOTOLINK CA300-PoE routers via command injection in the NTPSyncWithHost function. Attackers can exploit this by sending specially crafted requests to the vulnerable parameter, potentially gaining full control of affected devices. All users running vulnerable firmware versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on TOTOLINK CA300-PoE routers via command injection in the NTPSyncWithHost function. Attackers can exploit this by sending specially crafted requests to the vulnerable parameter, potentially gaining full control of affected devices. All users running vulnerable firmware versions are affected.

💻 Affected Systems

Products:

TOTOLINK CA300-PoE

Versions: V6.2c.884

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific firmware version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Ca300 Poe Firmware by Totolink

View all CVEs affecting Ca300 Poe Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network pivoting to internal systems, data exfiltration, and use in botnets for DDoS attacks.

🟠

Likely Case

Unauthorized command execution allowing attackers to modify device configuration, intercept network traffic, or disable security features.

🟢

If Mitigated

Limited impact with proper network segmentation, firewall rules blocking unnecessary access, and regular monitoring.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them directly accessible to attackers without internal network access.

🏢 Internal Only: MEDIUM - If properly segmented, risk is reduced but still present from compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists in GitHub repositories, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot device.

🔧 Temporary Workarounds

Network Access Restriction

linux

Block external access to router management interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -s ! 192.168.1.0/24 -j DROP
iptables -A INPUT -p tcp --dport 443 -s ! 192.168.1.0/24 -j DROP

Disable NTP Sync Feature

all

Turn off NTP synchronization if not required

🧯 If You Can't Patch

Isolate affected devices in separate VLAN with strict access controls
Implement network monitoring for suspicious traffic to/from router management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Status or Administration settings

Check Version:

curl -s http://router-ip/cgi-bin/cstecgi.cgi | grep -i version

Verify Fix Applied:

Verify firmware version is updated beyond V6.2c.884 and test NTP functionality

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed NTP sync attempts with malformed parameters
Unexpected process creation

Network Indicators:

HTTP POST requests to NTPSyncWithHost endpoint with shell metacharacters
Outbound connections from router to unexpected destinations

SIEM Query:

source="router.log" AND ("NTPSyncWithHost" OR "host_time") AND ("|" OR ";" OR "$" OR "`")

📊 Metadata

CVE ID: CVE-2023-24138

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: February 3, 2023

Last Updated: March 25, 2025

🔗 References

https://github.com/Double-q1015/CVE-vulns/blob/main/totolink_ca300-poe/NTPSyncWithHost/NTPSyncWithHost.md Exploit,Third Party Advisory
https://github.com/Double-q1015/CVE-vulns/blob/main/totolink_ca300-poe/NTPSyncWithHost/NTPSyncWithHost.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24138, you might also want to check these: