CVE-2024-35387 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-35387?

CVE-2024-35387 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on TOTOLINK LR350 routers by exploiting a stack overflow in the loginAuth function via the http_host parameter. Attackers can gain full control of affected devices without authentication. All users running the vulnerable firmware version are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on TOTOLINK LR350 routers by exploiting a stack overflow in the loginAuth function via the http_host parameter. Attackers can gain full control of affected devices without authentication. All users running the vulnerable firmware version are affected.

💻 Affected Systems

Products:

TOTOLINK LR350

Versions: V9.3.5u.6369_B20220309

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The web management interface must be accessible for exploitation. Default configurations typically expose this interface.

📦 What is this software?

Lr350 Firmware by Totolink

View all CVEs affecting Lr350 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, credential theft, network pivoting, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a foothold into the network.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict ingress filtering and network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices with web management interfaces exposed.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists in GitHub repository. Exploitation requires sending a specially crafted HTTP request to the loginAuth endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware. 3. Access router web interface. 4. Navigate to firmware upgrade section. 5. Upload new firmware file. 6. Wait for reboot.

🔧 Temporary Workarounds

Disable Web Management Interface

all

Disable the web management interface or restrict access to trusted IP addresses only.

Network Segmentation

all

Place routers in isolated network segments with strict firewall rules.

🧯 If You Can't Patch

Implement strict network access controls to limit exposure of router management interfaces
Deploy intrusion detection systems to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Status or About page.

Check Version:

curl -s http://router-ip/cgi-bin/loginAuth | grep version or check web interface

Verify Fix Applied:

Verify firmware version has been updated to a version newer than V9.3.5u.6369_B20220309.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /cgi-bin/loginAuth with long http_host parameters
Multiple failed login attempts followed by successful exploitation

Network Indicators:

HTTP traffic to router management interface with unusually long http_host parameter values
Outbound connections from router to suspicious IPs post-exploitation

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/loginAuth" AND http_host.length>1000)

📊 Metadata

CVE ID: CVE-2024-35387

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: May 24, 2024

Last Updated: April 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35387, you might also want to check these: