Hardcoded Password Vulnerability in Totolink A3600R Firmware
CVE-2022-34993

9.8CRITICAL

Key Information:

Vendor: Totolink
Status: A3600r Firmware
Vendor: CVE Published:; 4 August 2022

Summary

The Totolink A3600R Firmware version V4.1.2cu.5182_B20201102 contains a significant security flaw characterized by the presence of a hardcoded password for the root user located in /etc/shadow.sample. This vulnerability could allow unauthorized users to gain elevated privileges, potentially compromising the integrity and confidentiality of the device and its data. Users of this firmware version should take immediate action to secure their devices from potential exploitation.

References

http://www.totolink.cn/home/menu/detail.html?menu_listtpl...

x_refsource_MISC

https://github.com/cilan2/iot/blob/main/1.md

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 4, 2022
Vulnerability Reserved
Jul 4, 2022