CVE-2024-35396 – This vulnerability involves a hardcoded root pa... (How to Fix)

Q: What is the severity of CVE-2024-35396?

CVE-2024-35396 has a CVSS score of 9.8 (CRITICAL). This vulnerability involves a hardcoded root password in the TOTOLINK CP900L router's configuration file, allowing attackers to gain administrative access via telnet. Anyone using the affected firmware version is vulnerable to complete device compromise. Attackers can execute arbitrary commands, modify configurations, or use the device as a foothold for further attacks.

📋 TL;DR

This vulnerability involves a hardcoded root password in the TOTOLINK CP900L router's configuration file, allowing attackers to gain administrative access via telnet. Anyone using the affected firmware version is vulnerable to complete device compromise. Attackers can execute arbitrary commands, modify configurations, or use the device as a foothold for further attacks.

💻 Affected Systems

Products:

TOTOLINK CP900L

Versions: v4.1.5cu.798_B20221228

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default configuration; telnet may be enabled by default.

📦 What is this software?

Cp900l Firmware by Totolink

View all CVEs affecting Cp900l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data exfiltration, malware deployment, or use as a botnet node.

🟠

Likely Case

Unauthorized administrative access allowing configuration changes, service disruption, or credential harvesting.

🟢

If Mitigated

Limited impact if telnet is disabled and strong perimeter controls prevent external access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires telnet access; attackers need network reachability to the device's telnet port.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://totolink.com

Restart Required: No

Instructions:

Check vendor website for firmware updates; if available, download and install via web interface.

🔧 Temporary Workarounds

Disable Telnet Service

linux

Prevent telnet access to eliminate the attack vector.

telnetd -l /bin/sh -p 23

Block Telnet Port

linux

Use firewall rules to block external telnet access.

iptables -A INPUT -p tcp --dport 23 -j DROP

🧯 If You Can't Patch

Isolate the device on a separate VLAN with strict access controls.
Implement network monitoring for telnet authentication attempts and unusual root logins.

🔍 How to Verify

Check if Vulnerable:

Check if telnet is accessible on port 23 and test login with known hardcoded credentials.

Check Version:

Check firmware version in web interface or via CLI: cat /proc/version

Verify Fix Applied:

Verify telnet service is disabled or inaccessible, and test login fails with hardcoded credentials.

📡 Detection & Monitoring

Log Indicators:

Failed/successful telnet authentication attempts
Root login via telnet

Network Indicators:

Telnet traffic to device on port 23
Unusual outbound connections from device

SIEM Query:

source="router_logs" AND (event="telnet_login" OR user="root")

📊 Metadata

CVE ID: CVE-2024-35396

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: May 24, 2024

Last Updated: April 3, 2025

🔗 References

http://totolink.com Product
https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/TOTOLINK%20CP900L/README.md Broken Link
http://totolink.com Product
https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/TOTOLINK%20CP900L/README.md Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35396, you might also want to check these: