Login Sign Up

CVE-2023-48860

9.8 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

This vulnerability allows authenticated attackers to bypass front-end security restrictions and execute arbitrary code on TOTOLINK N300RT routers. Attackers who gain initial access can achieve remote code execution, potentially compromising the entire device. Organizations and individuals using the affected router version are at risk.

💻 Affected Systems

Products:
  • TOTOLINK N300RT
Versions: 3.2.4-B20180730.0906
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects this specific firmware version. Requires attacker to have initial authentication credentials.

📦 What is this software?

N300rt Firmware by Totolink

View all CVEs affecting N300rt Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to install persistent malware, intercept all network traffic, pivot to internal networks, or use the device in botnets.

🟠

Likely Case

Attackers with initial access escalate privileges to gain full control of the router, potentially stealing credentials, redirecting traffic, or disabling network services.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the router itself without lateral movement to other systems.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them accessible to remote attackers who can exploit this after gaining initial access.
🏢 Internal Only: MEDIUM - Internal attackers with network access could exploit this, but requires initial authentication which may be harder to obtain internally.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authentication first, but post-authentication RCE is straightforward. Public research available with technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

Check TOTOLINK website for firmware updates. If no patch exists, consider replacing the device with a supported model.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate the router from critical internal networks to limit potential damage if compromised.

Access Control Hardening

all

Change default credentials, implement strong authentication, and restrict administrative access to trusted IPs only.

🧯 If You Can't Patch

  • Replace the router with a supported model that receives security updates
  • Implement network monitoring and intrusion detection specifically for this device

🔍 How to Verify

Check if Vulnerable:

Check router web interface or console for firmware version. If version matches 3.2.4-B20180730.0906, device is vulnerable.

Check Version:

Login to router web interface and check System Status or Firmware Information page

Verify Fix Applied:

Update firmware and verify version no longer matches vulnerable version. Test administrative functions for proper access controls.

📡 Detection & Monitoring

Log Indicators:

  • Unusual administrative login attempts
  • Unexpected configuration changes
  • Suspicious command execution in logs

Network Indicators:

  • Unusual outbound connections from router
  • Traffic redirection patterns
  • Unexpected services running on router

SIEM Query:

Search for authentication events followed by configuration changes or command execution on router IP

📊 Metadata

CVE ID: CVE-2023-48860
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: December 7, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON