Details of VAR-202307-0469

ID

VAR-202307-0469

CVE

CVE-2023-37170

TITLE

TOTOLINK of a3300r in the firmware OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2023-019268

DESCRIPTION

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the lang parameter in the setLanguageCfg function. TOTOLINK of a3300r The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The TOTOLINK A3300R is a dual-band wireless router manufactured by China's TOTOLINK Electronics, primarily designed for home and small network environments. The TOTOLINK A3300R suffers from a code execution vulnerability. This vulnerability stems from the failure of the "lang" parameter in the setLanguageCfg method to properly sanitize special characters and commands in constructed commands. Detailed vulnerability details are currently unavailable

Trust: 2.25

sources: NVD: CVE-2023-37170 // JVNDB: JVNDB-2023-019268 // CNVD: CNVD-2025-21048 // VULMON: CVE-2023-37170

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-21048

AFFECTED PRODUCTS

vendor:	totolink	model:	a3300r	scope:	eq	version:	17.0.0cu.557_b20221024	Trust: 1.0
vendor:	totolink	model:	a3300r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	a3300r	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a3300r	scope:	eq	version:	a3300r firmware 17.0.0cu.557 b20221024	Trust: 0.8
vendor:	totolink	model:	a3300r v17.0.0cu.557 b20221024	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-21048 // JVNDB: JVNDB-2023-019268 // NVD: CVE-2023-37170

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-37170
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2023-37170
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2025-21048
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202307-515
value:	CRITICAL
Trust: 0.6

CNVD:	CNVD-2025-21048
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-37170
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2023-37170
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-21048 // CNNVD: CNNVD-202307-515 // JVNDB: JVNDB-2023-019268 // NVD: CVE-2023-37170

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-019268 // NVD: CVE-2023-37170

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202307-515

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202307-515

PATCH

title:	Patch for TOTOLINK A3300R setLanguageCfg method code execution vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/729691	Trust: 0.6
title:	TOTOLINK A3300R Fixes for operating system command injection vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=246050	Trust: 0.6

sources: CNVD: CNVD-2025-21048 // CNNVD: CNNVD-202307-515

EXTERNAL IDS

db:	NVD	id:	CVE-2023-37170	Trust: 3.9
db:	JVNDB	id:	JVNDB-2023-019268	Trust: 0.8
db:	CNVD	id:	CNVD-2025-21048	Trust: 0.6
db:	CNNVD	id:	CNNVD-202307-515	Trust: 0.6
db:	VULMON	id:	CVE-2023-37170	Trust: 0.1

sources: CNVD: CNVD-2025-21048 // VULMON: CVE-2023-37170 // CNNVD: CNNVD-202307-515 // JVNDB: JVNDB-2023-019268 // NVD: CVE-2023-37170

REFERENCES

url:	https://github.com/kafroc/vuls/tree/main/totolink/a3300r/cmdi_1	Trust: 3.1
url:	https://nvd.nist.gov/vuln/detail/cve-2023-37170	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2023-37170/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2025-21048 // VULMON: CVE-2023-37170 // CNNVD: CNNVD-202307-515 // JVNDB: JVNDB-2023-019268 // NVD: CVE-2023-37170

SOURCES

db:	CNVD	id:	CNVD-2025-21048
db:	VULMON	id:	CVE-2023-37170
db:	CNNVD	id:	CNNVD-202307-515
db:	JVNDB	id:	JVNDB-2023-019268
db:	NVD	id:	CVE-2023-37170

LAST UPDATE DATE

2025-09-12T23:48:14.544000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-21048	date:	2025-09-11T00:00:00
db:	VULMON	id:	CVE-2023-37170	date:	2023-07-08T00:00:00
db:	CNNVD	id:	CNNVD-202307-515	date:	2023-07-14T00:00:00
db:	JVNDB	id:	JVNDB-2023-019268	date:	2024-01-12T08:05:00
db:	NVD	id:	CVE-2023-37170	date:	2023-07-13T17:31:53.207

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-21048	date:	2025-09-08T00:00:00
db:	VULMON	id:	CVE-2023-37170	date:	2023-07-07T00:00:00
db:	CNNVD	id:	CNNVD-202307-515	date:	2023-07-07T00:00:00
db:	JVNDB	id:	JVNDB-2023-019268	date:	2024-01-12T00:00:00
db:	NVD	id:	CVE-2023-37170	date:	2023-07-07T20:15:10.613