Cyber Resilience

CVE-2024-7332

CriticalPublic PoC

Published: 01 August 2024

Published
01 August 2024
Modified
09 August 2024
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.8861 99.5th percentile
Risk Priority 72 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7332 is a critical-severity Use of Hard-coded Password (CWE-259) vulnerability in Totolink Cp450 Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A vulnerability classified as critical has been identified in the TOTOLINK CP450 router running firmware version 4.1.0cu.747_B20191224. It resides in an unspecified portion of the file /web_cste/cgi-bin/product.ini within the Telnet Service component and stems from the use of a hard-coded password, corresponding to CWE-259 and CWE-798. The flaw can be triggered remotely and carries a CVSS 4.0 score of 9.3 reflecting high impact on confidentiality, integrity, and availability.

An unauthenticated attacker with network access can leverage the hardcoded credentials to connect to the Telnet service, thereby obtaining full administrative control over the device. The exploit has already been made public, enabling straightforward remote compromise without any required user interaction or special privileges.

No vendor patch or mitigation guidance is available; the manufacturer was notified prior to disclosure but provided no response. The associated EPSS score currently stands at 0.8861 with a recorded peak of 0.9211, indicating sustained public interest in the issue following its publication.

EU & UK References

Vulnerability details

A vulnerability was found in TOTOLINK CP450 4.1.0cu.747_B20191224. It has been classified as critical. This affects an unknown part of the file /web_cste/cgi-bin/product.ini of the component Telnet Service. The manipulation leads to use of hard-coded password. It is possible to…

more

initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273255. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
cp450 firmware
4.1.0cu.747_b20191224

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-259 CWE-798

Changing default authenticators prior to first use directly prevents use of hard-coded passwords.

addresses: CWE-798 CWE-259

Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.

addresses: CWE-798 CWE-259

Vetting reduces the chance a developer will deliberately insert hard-coded credentials as a backdoor or unauthorized access mechanism.

addresses: CWE-798 CWE-259

Supplier risk reviews identify and discourage hard-coded credentials in delivered products or services.

addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

addresses: CWE-798

Policy and procedures prohibit hard-coded credentials in favor of managed authentication.

addresses: CWE-798

External identity providers eliminate the need for hard-coded credentials in applications.

References