CVE-2023-30013

CRITICAL NUCLEI

Totolink X5000r Firmware - OS Command Injection

Title source: rule

Description

TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.

Exploits (1)

metasploit WORKING POC EXCELLENT

rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/totolink_unauth_rce_cve_2023_30013.rb

View Code ZIP pw:eip

Nuclei Templates (1)

TOTOLink - Unauthenticated Command Injection

CRITICALby gy741

References (2)

[Exploit, Third Party Advisory] https://github.com/Kazamayc/vuln/tree/main/TOTOLINK/X5000R/2

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/174799/TOTOLINK-Wireless-Routers-Remote-Command-Execution.html

Scores

CVSS v3 9.8

EPSS 0.9208

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

totolink/x5000r_firmware 9.1.0u.6118_b20201102

totolink/x5000r_firmware 9.1.0u.6369_b20230113

Published May 05, 2023

Tracked Since Feb 18, 2026