CVE-2024-34204
Published: 14 May 2024
Summary
CVE-2024-34204 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink Cp450 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TOTOLINK outdoor CPE CP450 version 4.1.0cu.747_B20191224 contains a command injection vulnerability in the setUpgradeFW function that is triggered through the FileName parameter. The flaw, tracked as CWE-77, stems from inadequate sanitization of user-supplied input and carries a CVSS 3.1 score of 9.8 reflecting network-accessible, unauthenticated exploitation with full confidentiality, integrity, and availability impact.
An attacker with network reachability can submit a crafted FileName value to the affected endpoint and execute arbitrary operating-system commands on the device. Successful exploitation grants complete control over the CPE, enabling actions such as configuration changes, malware deployment, or lateral movement within the attached network.
Public references consist of proof-of-concept disclosures hosted on GitHub that demonstrate the injection vector but contain no vendor advisory, firmware update, or mitigation guidance.
The associated EPSS score has stayed low, moving only from 0.0497 to a brief peak of 0.0598 before receding, with no indication of material exploitation activity following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34684
Vulnerability details
TOTOLINK outdoor CPE CP450 v4.1.0cu.747_B20191224 was discovered to contain a command injection vulnerability in the setUpgradeFW function via the FileName parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in web-based firmware upgrade function (setUpgradeFW via FileName) enables exploitation of public-facing application and arbitrary Unix shell command execution.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.