CVE-2021-35326 – This vulnerability allows attackers to download... (How to Fix)

Q: What is the severity of CVE-2021-35326?

CVE-2021-35326 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to download the router's configuration file by sending a specially crafted HTTP request to the TOTOLINK A720R router. This affects users running firmware version v4.1.5cu.470_B20200911, potentially exposing sensitive network configuration and credentials.

📋 TL;DR

This vulnerability allows attackers to download the router's configuration file by sending a specially crafted HTTP request to the TOTOLINK A720R router. This affects users running firmware version v4.1.5cu.470_B20200911, potentially exposing sensitive network configuration and credentials.

💻 Affected Systems

Products:

TOTOLINK A720R router

Versions: Firmware v4.1.5cu.470_B20200911

Operating Systems: Embedded router OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects this specific firmware version on the A720R model

📦 What is this software?

A720r Firmware by Totolink

View all CVEs affecting A720r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain complete access to router configuration including admin credentials, Wi-Fi passwords, port forwarding rules, and network topology, leading to full network compromise.

🟠

Likely Case

Attackers download configuration file containing admin credentials and network settings, enabling unauthorized access to router management interface and potential lateral movement.

🟢

If Mitigated

With proper network segmentation and firewall rules, impact limited to router compromise without access to internal systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending crafted HTTP request to vulnerable endpoint

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

Check TOTOLINK website for firmware updates. If available, download latest firmware and upload via router admin interface.

🔧 Temporary Workarounds

Disable remote management

all

Turn off remote administration access to router web interface

Restrict web interface access

all

Configure firewall to only allow trusted IPs to access router admin interface

🧯 If You Can't Patch

Replace router with different model or manufacturer
Isolate router on separate VLAN with strict firewall rules

🔍 How to Verify

Check if Vulnerable:

Attempt to access configuration file via HTTP request to router IP on vulnerable endpoint

Check Version:

Login to router admin interface and check firmware version in System Status

Verify Fix Applied:

Test if configuration file download is no longer possible after firmware update

📡 Detection & Monitoring

Log Indicators:

HTTP requests to configuration file endpoints
Unauthorized access to admin interface

Network Indicators:

HTTP GET requests for config.bin or similar files
Traffic to router on unusual ports

SIEM Query:

source_ip=external AND dest_ip=router_ip AND (uri_contains="config" OR uri_contains="backup")

📊 Metadata

CVE ID: CVE-2021-35326

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Published: August 5, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/hurricane618/my_cves/blob/master/router/totolink/A720R_leak_config_file.md Exploit,Third Party Advisory
https://github.com/hurricane618/my_cves/blob/master/router/totolink/A720R_leak_config_file.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON