Command Injection Vulnerability in TOTOLINK Outdoor CPE Products
CVE-2024-34204

9.8CRITICAL

Key Information:

Vendor: TOTOLINK
Status: Cp450 Firmware
Vendor: CVE Published:; 14 May 2024

Summary

The outdoor CPE CP450 by TOTOLINK is affected by a command injection vulnerability that can be exploited through the setUpgradeFW function. This occurs via manipulation of the FileName parameter, potentially allowing unauthorized access and execution of arbitrary commands. Malicious actors could exploit this weakness to adversely affect device functionality or gain control over the device. Users are urged to apply necessary mitigations to safeguard against potential exploitation of this vulnerability.

References

https://github.com/n0wstr/IOTVuln/tree/main/CP450/setUpgr...

EPSS Score

15% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 14, 2024