Hardcoded Password Vulnerability in CP900L v4.1.5cu.798_B20221228 Allows Root Access to Attackers
CVE-2024-35395

8.8HIGH

Key Information:

Vendor: TOTOLINK
Status: Cp900l Firmware
Vendor: CVE Published:; 24 May 2024

Badges

📰 News Worthy

What is CVE-2024-35395?

The TOTOLINK CP900L is impacted by a vulnerability characterized by a hardcoded password stored within the /etc/shadow.sample file. This weakness allows unauthorized users to gain root-level access to the device. Exploiting this vulnerability could lead to significant security risks, including full control over the device's functionalities and the potential for broader network breaches. It is critical for users to assess their device configurations and apply any necessary security updates.

News Articles

prophaze.com

CVE-2024-35395

CVE-2024-35395 : TOTOLINK CP900L 4.1.5CU.798_B20221228 /ETC/SHADOW.SAMPLE HARD-CODED PASSWORD - Cloud WAF

CVE-2024-35395 : TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a hardcoded password vulnerability in /etc/shadow.sample, which allows attackers to log in as root.

References

http://totolink.com

https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by prophaze.com
May 27, 2024
Vulnerability published
May 24, 2024