CVE-2024-35397
Published: 28 May 2024
Summary
CVE-2024-35397 is a high-severity Command Injection (CWE-77) vulnerability in Totolink Cp900L Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 11.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-35397 is a command-injection vulnerability (CWE-77) affecting the TOTOLINK CP900L wireless router running firmware version 4.1.5cu.798_B20221228. The flaw resides in the NTPSyncWithHost function, where the hostTime parameter is passed to a system command without proper sanitization, enabling an attacker to supply a malicious value that results in arbitrary command execution.
An unauthenticated attacker positioned on an adjacent network can submit a crafted HTTP request to the affected endpoint and achieve full control over the device, including the ability to read, modify, or delete data and potentially pivot to other systems on the same network segment. The vulnerability carries a CVSS 3.1 base score of 8.8, reflecting the combination of low attack complexity, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.
Public references consist of the vendor site and a detailed technical report containing proof-of-concept material; neither source describes an official patch or mitigation guidance. The associated EPSS score remains low, reaching a modest peak of 0.0547 before receding, with no indication of widespread in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-35314
Vulnerability details
TOTOLINK CP900L v4.1.5cu.798_B20221228 weas discovered to contain a command injection vulnerability in the NTPSyncWithHost function via the hostTime parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.