Cyber Resilience

CVE-2024-35397

High

Published: 28 May 2024

Published
28 May 2024
Modified
03 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0412 88.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-35397 is a high-severity Command Injection (CWE-77) vulnerability in Totolink Cp900L Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 11.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-35397 is a command-injection vulnerability (CWE-77) affecting the TOTOLINK CP900L wireless router running firmware version 4.1.5cu.798_B20221228. The flaw resides in the NTPSyncWithHost function, where the hostTime parameter is passed to a system command without proper sanitization, enabling an attacker to supply a malicious value that results in arbitrary command execution.

An unauthenticated attacker positioned on an adjacent network can submit a crafted HTTP request to the affected endpoint and achieve full control over the device, including the ability to read, modify, or delete data and potentially pivot to other systems on the same network segment. The vulnerability carries a CVSS 3.1 base score of 8.8, reflecting the combination of low attack complexity, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.

Public references consist of the vendor site and a detailed technical report containing proof-of-concept material; neither source describes an official patch or mitigation guidance. The associated EPSS score remains low, reaching a modest peak of 0.0547 before receding, with no indication of widespread in-the-wild exploitation.

EU & UK References

Vulnerability details

TOTOLINK CP900L v4.1.5cu.798_B20221228 weas discovered to contain a command injection vulnerability in the NTPSyncWithHost function via the hostTime parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
cp900l firmware
4.1.5cu.798_b20221228

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References