Cyber Resilience

CVE-2024-34204

CriticalPublic PoCRCE

Published: 14 May 2024

Published
14 May 2024
Modified
09 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0497 89.9th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-34204 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink Cp450 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

TOTOLINK outdoor CPE CP450 version 4.1.0cu.747_B20191224 contains a command injection vulnerability in the setUpgradeFW function that is triggered through the FileName parameter. The flaw, tracked as CWE-77, stems from inadequate sanitization of user-supplied input and carries a CVSS 3.1 score of 9.8 reflecting network-accessible, unauthenticated exploitation with full confidentiality, integrity, and availability impact.

An attacker with network reachability can submit a crafted FileName value to the affected endpoint and execute arbitrary operating-system commands on the device. Successful exploitation grants complete control over the CPE, enabling actions such as configuration changes, malware deployment, or lateral movement within the attached network.

Public references consist of proof-of-concept disclosures hosted on GitHub that demonstrate the injection vector but contain no vendor advisory, firmware update, or mitigation guidance.

The associated EPSS score has stayed low, moving only from 0.0497 to a brief peak of 0.0598 before receding, with no indication of material exploitation activity following disclosure.

EU & UK References

Vulnerability details

TOTOLINK outdoor CPE CP450 v4.1.0cu.747_B20191224 was discovered to contain a command injection vulnerability in the setUpgradeFW function via the FileName parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in web-based firmware upgrade function (setUpgradeFW via FileName) enables exploitation of public-facing application and arbitrary Unix shell command execution.

Affected Assets

totolink
cp450 firmware
4.1.0cu.747_b20191224

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References