TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the hostTime parameter in the NTPSyncWithHost function.
The vulnerability (CWE-94 — code injection) occurs in the NTPSyncWithHost function, which insecurely processes the value of the hostTime parameter. An attacker can provide a crafted value of this parameter, leading to code injection and execution of arbitrary code on the device. The attack does not require authentication or user interaction, and its complexity is low.
An attacker can remotely execute arbitrary code with system privileges on the device, resulting in complete loss of confidentiality, integrity, and availability of the system.
Apply patches available from the manufacturer according to the references. Due to the lack of required authentication, until the system is updated, it is recommended to isolate the device from untrusted networks and restrict access to the management interface only to trusted hosts.
TOTOLINK EX200 with firmware version V4.0.3c.7646_B20201211
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTotolink Ex200
HWTotolinkwszystkie wersjeTotolink Ex200 Firmware
OSTotolink4.0.3c.7646_b20201211
Related vulnerabilities
TOTOLINK EX200: zakodowane na stałe hasło roota w firmware
TOTOLINK EX200 – nieautoryzowany dostęp do pliku konfiguracyjnego
The downloadFlile.cgi binary file in TOTOLINK EX200 V4.0.3c.7646_B20201211 has a command injection vulnerabili...
A vulnerability classified as critical has been found in TOTOLINK EX200 4.0.3c.7646_B20201211. Affected is the...
A vulnerability classified as critical was found in TOTOLINK EX200 4.0.3c.7646_B20201211. Affected by this vul...