CVE-2023-37149 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on TOTOLINK LR350 routers by injecting malicious commands into the FileName parameter. Attackers can gain full control of affected devices, potentially compromising network security. Only TOTOLINK LR350 routers running specific vulnerable firmware versions are affected.

💻 Affected Systems

Products:

TOTOLINK LR350

Versions: V9.3.5u.6369_B20220309

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Only this specific firmware version is confirmed vulnerable. Other versions may also be affected but not confirmed.

📦 What is this software?

Lr350 Firmware by Totolink

View all CVEs affecting Lr350 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data exfiltration, lateral movement to other devices, and persistent backdoor installation.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation, firewall rules, and access controls prevent external exploitation attempts.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and this vulnerability allows unauthenticated remote exploitation.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the router's management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists in GitHub repository. Exploitation requires sending crafted HTTP requests to the router's web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check TOTOLINK official website for firmware updates
2. Download latest firmware for LR350 model
3. Access router web interface
4. Navigate to firmware upgrade section
5. Upload and apply new firmware
6. Reboot router after update

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router web interface

Access router settings → System → Remote Management → Disable

Restrict management interface access

all

Limit which IP addresses can access router admin interface

Access router settings → Firewall → Access Control → Add rules to restrict admin access

🧯 If You Can't Patch

Isolate vulnerable routers in separate VLAN with strict firewall rules
Implement network monitoring for suspicious traffic to/from router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface: System → Firmware Upgrade → Current Version

Check Version:

curl -s http://router-ip/cgi-bin/luci/ | grep firmware

Verify Fix Applied:

Verify firmware version is no longer V9.3.5u.6369_B20220309

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /cgi-bin/luci with FileName parameter containing shell metacharacters
Unexpected system command execution in router logs

Network Indicators:

HTTP requests to router management interface from unexpected sources
Outbound connections from router to suspicious IPs

SIEM Query:

source="router_logs" AND (uri_path="/cgi-bin/luci" AND method="POST" AND (param="FileName" AND value MATCHES "[;&|`$()]"))

📊 Metadata

CVE ID: CVE-2023-37149

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: July 7, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/DaDong-G/Vulnerability_info/blob/main/TOTOLINK/lr350/4/README.md Exploit,Third Party Advisory
https://github.com/DaDong-G/Vulnerability_info/blob/main/TOTOLINK/lr350/4/README.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37149, you might also want to check these: