CVE-2024-7332
Published: 01 August 2024
Summary
CVE-2024-7332 is a critical-severity Use of Hard-coded Password (CWE-259) vulnerability in Totolink Cp450 Firmware. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A vulnerability classified as critical has been identified in the TOTOLINK CP450 router running firmware version 4.1.0cu.747_B20191224. It resides in an unspecified portion of the file /web_cste/cgi-bin/product.ini within the Telnet Service component and stems from the use of a hard-coded password, corresponding to CWE-259 and CWE-798. The flaw can be triggered remotely and carries a CVSS 4.0 score of 9.3 reflecting high impact on confidentiality, integrity, and availability.
An unauthenticated attacker with network access can leverage the hardcoded credentials to connect to the Telnet service, thereby obtaining full administrative control over the device. The exploit has already been made public, enabling straightforward remote compromise without any required user interaction or special privileges.
No vendor patch or mitigation guidance is available; the manufacturer was notified prior to disclosure but provided no response. The associated EPSS score currently stands at 0.8861 with a recorded peak of 0.9211, indicating sustained public interest in the issue following its publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-48271
Vulnerability details
A vulnerability was found in TOTOLINK CP450 4.1.0cu.747_B20191224. It has been classified as critical. This affects an unknown part of the file /web_cste/cgi-bin/product.ini of the component Telnet Service. The manipulation leads to use of hard-coded password. It is possible to…
more
initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273255. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Changing default authenticators prior to first use directly prevents use of hard-coded passwords.
Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.
Vetting reduces the chance a developer will deliberately insert hard-coded credentials as a backdoor or unauthorized access mechanism.
Supplier risk reviews identify and discourage hard-coded credentials in delivered products or services.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.
Policy and procedures prohibit hard-coded credentials in favor of managed authentication.
External identity providers eliminate the need for hard-coded credentials in applications.