Login Sign Up

CVE-2023-24152

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This critical vulnerability in TOTOLINK T8 routers allows remote attackers to execute arbitrary commands by sending specially crafted MQTT packets to the meshSlaveUpdate function. Attackers can gain complete control of affected devices without authentication. All users of vulnerable TOTOLINK T8 routers are affected.

💻 Affected Systems

Products:
  • TOTOLINK T8
Versions: V4.1.5cu (specific version mentioned in CVE)
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration. MQTT service typically runs on port 1883.

📦 What is this software?

T8 Firmware by Totolink

View all CVEs affecting T8 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data exfiltration, ransomware deployment, or use as botnet nodes for DDoS attacks.

🟠

Likely Case

Remote code execution allowing attackers to install malware, intercept network traffic, or pivot to other devices on the network.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Directly exploitable over the internet via MQTT protocol without authentication.
🏢 Internal Only: HIGH - Exploitable from any network position with access to the device's MQTT service.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept available on GitHub. Exploitation requires sending crafted MQTT packets to vulnerable parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown - No official vendor advisory found

Restart Required: No

Instructions:

Check TOTOLINK official website for firmware updates. If available, download latest firmware and apply through router web interface.

🔧 Temporary Workarounds

Block MQTT Port

linux

Block inbound MQTT traffic to prevent external exploitation

iptables -A INPUT -p tcp --dport 1883 -j DROP
iptables -A INPUT -p udp --dport 1883 -j DROP

Disable MQTT Service

all

Disable MQTT functionality if not required

Check router web interface for MQTT/IoT settings

🧯 If You Can't Patch

  • Isolate affected devices in separate VLAN with strict firewall rules
  • Implement network monitoring for unusual MQTT traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface. If version is V4.1.5cu, device is vulnerable.

Check Version:

Check router web interface at 192.168.1.1 or use nmap -sV -p 80,443 [router_ip]

Verify Fix Applied:

Verify firmware version has been updated beyond V4.1.5cu

📡 Detection & Monitoring

Log Indicators:

  • Unusual MQTT connection attempts
  • Unexpected command execution in system logs
  • Failed authentication attempts on MQTT port

Network Indicators:

  • MQTT packets with unusual payloads to port 1883
  • Outbound connections from router to suspicious IPs
  • Spike in MQTT traffic

SIEM Query:

source="router_logs" AND (port=1883 AND (payload="meshSlaveUpdate" OR payload="serverIp"))

📊 Metadata

CVE ID: CVE-2023-24152
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: February 3, 2023
Last Updated: March 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24152, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)