Login Sign Up

CVE-2023-24146

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on TOTOLINK CA300-PoE routers by injecting malicious commands into the minute parameter of the setRebootScheCfg function. Attackers can gain full control of affected devices, potentially compromising network security. Organizations using these routers are affected.

💻 Affected Systems

Products:
  • TOTOLINK CA300-PoE
Versions: V6.2c.884
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the specific firmware version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Ca300 Poe Firmware by Totolink

View all CVEs affecting Ca300 Poe Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data exfiltration, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Router compromise allowing network traffic interception, credential theft, and use as pivot point for further attacks.

🟢

If Mitigated

Limited impact if device is isolated, properly segmented, and monitored for suspicious activity.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them directly accessible to attackers.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept available on GitHub; command injection vulnerabilities are typically easy to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

Check TOTOLINK website for firmware updates. If available, download latest firmware and follow vendor upgrade instructions.

🔧 Temporary Workarounds

Disable remote management

all

Disable remote administration/management features to prevent external exploitation

Network segmentation

all

Isolate affected routers in separate network segments with strict firewall rules

🧯 If You Can't Patch

  • Replace affected devices with patched or alternative models
  • Implement strict network access controls and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface or CLI. If version is V6.2c.884, device is vulnerable.

Check Version:

Check router web interface under System Status or use vendor-specific CLI commands

Verify Fix Applied:

Verify firmware version has been updated to a version later than V6.2c.884

📡 Detection & Monitoring

Log Indicators:

  • Unusual reboot schedules
  • Suspicious commands in system logs
  • Unexpected configuration changes

Network Indicators:

  • Unusual outbound connections from router
  • Traffic patterns indicating command and control

SIEM Query:

source="router_logs" AND ("setRebootScheCfg" OR "minute=" AND ("|" OR ";" OR "$" OR "`"))

📊 Metadata

CVE ID: CVE-2023-24146
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: February 3, 2023
Last Updated: March 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24146, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)