Cyber Resilience

CVE-2024-35396

Critical

Published: 24 May 2024

Published
24 May 2024
Modified
03 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-35396 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Totolink Cp900L Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 32.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a hardcoded password for telnet in /web_cste/cgi-bin/product.ini, which allows attackers to log in as root.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
cp900l firmware
4.1.5cu.798_b20221228

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284 CWE-798

Security training teaches access control policies and enforcement, reducing improper access control implementations.

addresses: CWE-284 CWE-798

Authorization servers centrally manage access rights, preventing improper access control.

addresses: CWE-284 CWE-798

Central management enforces consistent access-control policies across systems, reducing the likelihood of missing or inconsistent enforcement.

addresses: CWE-284 CWE-798

Resources allocated to security programs enable proper design, implementation, and maintenance of access control mechanisms.

addresses: CWE-284 CWE-798

Screening criteria tied to position sensitivity limit the set of individuals who can be granted access, shrinking the attack surface for improper access control weaknesses.

addresses: CWE-284 CWE-798

Threat hunting directly searches for indicators of unauthorized access or control violations that bypassed preventive mechanisms.

addresses: CWE-284 CWE-798

Defining security roles/responsibilities and integrating risk management into the SDLC directly reduces improper access control by ensuring access decisions are designed and reviewed throughout development.

addresses: CWE-284 CWE-798

Guidance on effective use of access control mechanisms and known configuration vulnerabilities makes improper access control harder to exploit.

References