CVE-2024-7463
Published: 05 August 2024
Summary
CVE-2024-7463 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Totolink Cp900 Firmware. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A critical buffer overflow vulnerability exists in the TOTOLINK CP900 firmware version 6.3c.566. The flaw resides in the UploadCustomModule function of the /cgi-bin/cstecgi.cgi file and is triggered by manipulation of the File argument, corresponding to CWE-120. The issue received a CVSS 4.0 score of 8.7 and can be reached over the network.
An authenticated remote attacker can supply a crafted File parameter to the affected CGI endpoint, leading to memory corruption that may allow full compromise of the device confidentiality, integrity, and availability. Public proof-of-concept code for the vulnerability has been released.
The vendor was notified prior to disclosure but did not respond or issue a patch. The associated EPSS score rose from lower values to a peak of 0.1510 before receding to the current 0.0994, indicating a period of increased public interest following the initial publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-48384
Vulnerability details
A vulnerability classified as critical was found in TOTOLINK CP900 6.3c.566. This vulnerability affects the function UploadCustomModule of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument File leads to buffer overflow. The attack can be initiated remotely. The exploit has…
more
been disclosed to the public and may be used. The identifier of this vulnerability is VDB-273556. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public-facing CGI script (/cgi-bin/cstecgi.cgi UploadCustomModule) enables remote code execution via exploitation of the web application.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.