Login Sign Up

CVE-2023-46993

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on TOTOLINK A3300R routers by exploiting improper input validation in the setLedCfg request. Attackers can gain full control of affected devices without authentication. All users running the vulnerable firmware version are affected.

💻 Affected Systems

Products:
  • TOTOLINK A3300R
Versions: V17.0.0cu.557_B20221024
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the specific firmware version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

A3300r Firmware by Totolink

View all CVEs affecting A3300r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent backdoor installation, network traffic interception, lateral movement to other devices, and botnet recruitment.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, and use as pivot point for internal network attacks.

🟢

If Mitigated

Limited impact with proper network segmentation, but still vulnerable to authenticated attackers or those with network access.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing and the exploit requires no authentication.
🏢 Internal Only: HIGH - Even if not internet-facing, any network-accessible device can be exploited.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept exists in GitHub repository; command injection vulnerabilities are commonly weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check TOTOLINK official website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate router management interface from untrusted networks

Access Control Lists

linux

Restrict access to router management interface to trusted IPs only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

  • Replace affected devices with patched or different vendor equipment
  • Implement strict network segmentation and firewall rules to limit router exposure

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface; if version is V17.0.0cu.557_B20221024, device is vulnerable.

Check Version:

Check router web interface at http://router-ip/ or use nmap scan for banner grabbing

Verify Fix Applied:

Verify firmware version has been updated to a version later than V17.0.0cu.557_B20221024.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to setLedCfg endpoint
  • Suspicious command execution in system logs
  • Multiple failed login attempts followed by successful access

Network Indicators:

  • Unusual outbound connections from router
  • Traffic to known malicious IPs
  • Unexpected port scans originating from router

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/setLedCfg" OR command="*;*" OR command="*|*")

📊 Metadata

CVE ID: CVE-2023-46993
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: October 31, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46993, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)