CVE-2024-35396
Published: 24 May 2024
Summary
CVE-2024-35396 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Totolink Cp900L Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked at the 32.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-35313
Vulnerability details
TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a hardcoded password for telnet in /web_cste/cgi-bin/product.ini, which allows attackers to log in as root.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security training teaches access control policies and enforcement, reducing improper access control implementations.
Authorization servers centrally manage access rights, preventing improper access control.
Central management enforces consistent access-control policies across systems, reducing the likelihood of missing or inconsistent enforcement.
Resources allocated to security programs enable proper design, implementation, and maintenance of access control mechanisms.
Screening criteria tied to position sensitivity limit the set of individuals who can be granted access, shrinking the attack surface for improper access control weaknesses.
Threat hunting directly searches for indicators of unauthorized access or control violations that bypassed preventive mechanisms.
Defining security roles/responsibilities and integrating risk management into the SDLC directly reduces improper access control by ensuring access decisions are designed and reviewed throughout development.
Guidance on effective use of access control mechanisms and known configuration vulnerabilities makes improper access control harder to exploit.