Primary

Context

TOTOLINK CA300-PoE OS Command Injection Vulnerability in QuickSetting Function

Vulnerability

A critical OS command injection vulnerability has been identified in the TOTOLINK CA300-PoE router, specifically in the firmware version 6.2c.884. The issue arises in the QuickSetting function of the ap.so file, where the hour and minute parameters can be manipulated to inject and execute arbitrary operating system commands. This vulnerability can be exploited remotely, without authentication.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a crafted request to the CA300-PoE router's QuickSetting function, including manipulated hour and minute parameters. The injected command will be executed on the router's operating system.

Added: Jun 25, 2025, 6:41 PM

Updated: Jun 25, 2025, 6:41 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

10.0

exploitability

6.2

remediation

0.0

relevance

0.2

threat

6.5

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

10.0

exploitability

6.2

remediation

0.0

relevance

0.2

threat

6.5

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TOTOLINK CA300-PoE OS Command Injection Vulnerability in QuickSetting Function

Vulnerability

Impact

Reproduction

Affected Products

TOTOLINK CA300-PoE

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating