Hardcoded Password in TOTOLINK CP900L v4.1.5cu.798_B20221228 Allows Root Access
CVE-2024-35396

9.8CRITICAL

Key Information:

Vendor: TOTOLINK
Status: Cp900l Firmware
Vendor: CVE Published:; 24 May 2024

What is CVE-2024-35396?

The TOTOLINK CP900L product has a vulnerability that stems from a hardcoded password for Telnet, located in the /web_cste/cgi-bin/product.ini file. This flaw enables attackers to gain root access without authentication, posing significant security risks to users. It is crucial for businesses and individuals using affected versions to implement immediate measures to protect their networks from potential exploitation.

References

http://totolink.com

https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 24, 2024