Login Sign Up

CVE-2023-51034

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary commands on TOTOlink EX1200L routers by exploiting the UploadFirmwareFile interface in cstecgi.cgi. Attackers can gain full control of affected devices, potentially compromising network security. All users of vulnerable TOTOlink EX1200L routers are affected.

💻 Affected Systems

Products:
  • TOTOlink EX1200L
Versions: V9.3.5u.6146_B20201023
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the specific firmware version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Ex1200l Firmware by Totolink

View all CVEs affecting Ex1200l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data exfiltration, lateral movement to other devices, and persistent backdoor installation.

🟠

Likely Case

Router compromise allowing traffic interception, DNS manipulation, credential theft, and use as attack platform.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH - Directly exploitable from internet without authentication.
🏢 Internal Only: HIGH - Exploitable from internal network by any user or compromised device.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details available in references; simple HTTP request with crafted firmware file triggers command execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

Check vendor website for firmware updates. If available, download latest firmware and upload via admin interface.

🔧 Temporary Workarounds

Block cstecgi.cgi access

linux

Use firewall rules to block access to vulnerable CGI interface

iptables -A INPUT -p tcp --dport 80 -m string --string "cstecgi.cgi" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "cstecgi.cgi" --algo bm -j DROP

Disable WAN administration

all

Turn off remote administration via WAN interface

🧯 If You Can't Patch

  • Isolate device in separate VLAN with strict firewall rules
  • Implement network monitoring for suspicious upload attempts to cstecgi.cgi

🔍 How to Verify

Check if Vulnerable:

Check router web interface for firmware version. If version is V9.3.5u.6146_B20201023, device is vulnerable.

Check Version:

Login to router admin interface and check System Status or Firmware Update section

Verify Fix Applied:

Verify firmware version has been updated to a version later than V9.3.5u.6146_B20201023

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /cgi-bin/cstecgi.cgi with UploadFirmwareFile parameter
  • Unusual firmware upload attempts
  • Command execution patterns in system logs

Network Indicators:

  • HTTP traffic to router on port 80/443 containing cstecgi.cgi and UploadFirmwareFile
  • Unusual outbound connections from router

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/cstecgi.cgi" AND method="POST" AND params="UploadFirmwareFile")

📊 Metadata

CVE ID: CVE-2023-51034
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: December 22, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51034, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)