CVE-2021-45735 – This vulnerability allows attackers to intercep... (How to Fix)

Q: What is the severity of CVE-2021-45735?

CVE-2021-45735 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to intercept administrator credentials for TOTOLINK X5000R routers because the admin interface uses unencrypted HTTP instead of HTTPS. Anyone using the affected router version with default settings is vulnerable to credential theft.

📋 TL;DR

This vulnerability allows attackers to intercept administrator credentials for TOTOLINK X5000R routers because the admin interface uses unencrypted HTTP instead of HTTPS. Anyone using the affected router version with default settings is vulnerable to credential theft.

💻 Affected Systems

Products:

TOTOLINK X5000R

Versions: v9.1.0u.6118_B20201102

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running this firmware version are vulnerable by default as HTTP is the default authentication method.

📦 What is this software?

X5000r Firmware by Totolink

View all CVEs affecting X5000r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control of the router, allowing them to reconfigure network settings, intercept all traffic, install malware, or use the device as part of a botnet.

🟠

Likely Case

Attackers on the same network capture admin credentials and gain unauthorized access to router configuration, potentially changing DNS settings or firewall rules.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to credential exposure requiring password reset and investigation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires network access to capture HTTP traffic; tools like Wireshark or tcpdump can capture credentials in plaintext.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Check TOTOLINK website for firmware updates and upgrade to latest version if available.

🔧 Temporary Workarounds

Disable HTTP admin access

all

Configure router to use HTTPS only for admin interface if supported

Network segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

Change admin password immediately and use strong, unique credentials
Monitor router logs for unauthorized access attempts and network traffic for credential capture

🔍 How to Verify

Check if Vulnerable:

Check if admin interface URL starts with http:// instead of https:// when logging in

Check Version:

Login to router admin interface and check firmware version in system settings

Verify Fix Applied:

Verify admin interface forces HTTPS and credentials are transmitted over encrypted connection

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts
Successful logins from unexpected IP addresses
Configuration changes from unauthorized users

Network Indicators:

HTTP traffic to router admin port containing 'POST /cgi-bin/login.cgi' with plaintext credentials
ARP spoofing or MITM attacks targeting router IP

SIEM Query:

source_ip="router_ip" AND (http_method="POST" AND uri="/cgi-bin/login.cgi")

📊 Metadata

CVE ID: CVE-2021-45735

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-319

Published: February 4, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/pjqwudi/my_vuln/blob/main/totolink/vuln_12/12.md Exploit,Third Party Advisory
https://github.com/pjqwudi/my_vuln/blob/main/totolink/vuln_12/12.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45735, you might also want to check these: