CVE-2024-35396

Name of the Vulnerable Software and Affected Versions TOTOLINK CP900L version 4.1.5cu.798 B20221228

Description The issue is related to a hardcoded password for telnet in the /web cste/cgi-bin/product.ini file, allowing attackers to log in as root. This is due to the use of predefined credentials in the product.ini component of the telnet service in the TOTOLINK CP900L wireless access point firmware. Exploitation of this issue can enable a remote attacker to enter the system with root privileges.

Recommendations For TOTOLINK CP900L version 4.1.5cu.798 B20221228, consider disabling telnet access until a patch is available to remove the hardcoded password. Restrict access to the /web cste/cgi-bin/product.ini file to minimize the risk of exploitation. Avoid using the predefined credentials in the product.ini file for telnet service until the issue is resolved.