Login Sign Up

CVE-2023-46423

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on TOTOLINK X6000R routers via the sub_417094 function. Attackers can gain full control of affected devices without authentication. All users running the vulnerable firmware version are affected.

💻 Affected Systems

Products:
  • TOTOLINK X6000R
Versions: v9.4.0cu.652_B20230116
Operating Systems: Embedded Linux (router firmware)
Default Config Vulnerable: ⚠️ Yes
Notes: Affects specific firmware version; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

X6000r Firmware by Totolink

View all CVEs affecting X6000r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router leading to network takeover, data exfiltration, malware deployment, and pivot to internal network devices.

🟠

Likely Case

Router compromise leading to DNS hijacking, credential theft, man-in-the-middle attacks, and botnet recruitment.

🟢

If Mitigated

Limited impact if device is behind firewall with strict inbound filtering and not internet-facing.

🌐 Internet-Facing: HIGH - Directly accessible from internet, no authentication required for exploitation.
🏢 Internal Only: HIGH - Even internally, exploitation can lead to lateral movement and network compromise.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public GitHub repository contains technical details and likely exploit code. No authentication required for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.totolink.cn/index.php/home/menu/detail.html?menu_listtpl=download&id=88&ids=36

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates. 2. Download latest firmware. 3. Upload via router admin interface. 4. Reboot router.

🔧 Temporary Workarounds

Network Isolation

all

Place router behind firewall with strict inbound filtering to block external access.

Access Restriction

all

Configure firewall to only allow management access from trusted IP addresses.

🧯 If You Can't Patch

  • Replace vulnerable router with different model or vendor
  • Implement network segmentation to isolate router from critical systems

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version matches affected version, device is vulnerable.

Check Version:

Login to router admin interface and check firmware version in System Status or similar section.

Verify Fix Applied:

Verify firmware version has been updated to a version newer than v9.4.0cu.652_B20230116.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in router logs
  • Unexpected system process creation
  • Suspicious network traffic from router

Network Indicators:

  • Unexpected outbound connections from router
  • DNS queries to malicious domains
  • Port scanning originating from router

SIEM Query:

source="router_logs" AND ("command injection" OR "exec" OR "system" OR suspicious_process_name)

📊 Metadata

CVE ID: CVE-2023-46423
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: October 25, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46423, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)