CVE-2023-36955 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on TOTOLINK CP300+ routers by exploiting a stack overflow in the UploadCustomModule function. Attackers can achieve full system compromise by sending specially crafted requests. All users running affected firmware versions are vulnerable.

💻 Affected Systems

Products:

TOTOLINK CP300+

Versions: V5.2cu.7594_B20200910 and earlier

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface of the router. No special configuration required for exploitation.

📦 What is this software?

Cp300 Firmware by Totolink

View all CVEs affecting Cp300 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root privileges, enabling persistent backdoor installation, network traffic interception, and lateral movement to other devices.

🟠

Likely Case

Remote code execution leading to router compromise, credential theft, DNS hijacking, and botnet recruitment.

🟢

If Mitigated

Limited impact with proper network segmentation and firewall rules blocking external access to router management interfaces.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices with web management interfaces exposed.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they have network access to the router's management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available in GitHub repository. Exploitation requires sending HTTP request with malicious File parameter to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates
2. Download latest firmware if available
3. Access router web interface
4. Navigate to firmware upgrade section
5. Upload and install new firmware
6. Reboot router

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router web interface

Access router settings → Administration → Remote Management → Disable

Restrict management interface access

all

Limit access to router management to trusted IPs only

Access router settings → Security → Access Control → Add trusted IP ranges

🧯 If You Can't Patch

Segment router management interface to isolated VLAN
Implement WAF rules to block requests with suspicious File parameter patterns

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface: Login → Status → Device Info → Firmware Version

Check Version:

curl -s http://router-ip/status.cgi | grep firmware_version

Verify Fix Applied:

Verify firmware version is newer than V5.2cu.7594_B20200910

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to UploadCustomModule endpoint with large File parameter
Router crash/reboot logs
Unusual process execution in router logs

Network Indicators:

HTTP traffic to router management port with suspicious upload patterns
Outbound connections from router to unknown IPs

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/UploadCustomModule" OR method="POST" AND file_size>1000000)

📊 Metadata

CVE ID: CVE-2023-36955

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: October 16, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/Archerber/bug_submit/blob/main/TOTOLINK/CP300%2B_4.md Exploit,Third Party Advisory
https://github.com/Archerber/bug_submit/blob/main/TOTOLINK/CP300%2B_4.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36955, you might also want to check these: