Login Sign Up

CVE-2024-35398

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on TOTOLINK CP900L routers by exploiting a stack overflow in the setMacFilterRules function. Attackers can send specially crafted requests to the desc parameter, potentially gaining full control of affected devices. This affects all users running the vulnerable firmware version.

💻 Affected Systems

Products:
  • TOTOLINK CP900L
Versions: v4.1.5cu.798_B20221228
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface. Devices with default configurations are vulnerable if the interface is accessible.

📦 What is this software?

Cp900l Firmware by Totolink

View all CVEs affecting Cp900l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and participation in botnets.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept available on GitHub. Exploitation requires network access to the web interface but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://totolink.com

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates. 2. Download latest firmware. 3. Access router web interface. 4. Navigate to firmware upgrade section. 5. Upload new firmware. 6. Wait for reboot.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to the web management interface

Access router settings → System → Remote Management → Disable

Network Segmentation

all

Isolate router management interface from untrusted networks

Configure firewall rules to block external access to router web interface ports (typically 80/443)

🧯 If You Can't Patch

  • Segment affected routers in isolated VLANs with strict firewall rules
  • Implement network monitoring for unusual traffic patterns from router devices

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System → Firmware Upgrade

Check Version:

curl -s http://router-ip/status.cgi | grep firmware

Verify Fix Applied:

Verify firmware version is newer than v4.1.5cu.798_B20221228

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to setMacFilterRules endpoint
  • Large payloads in desc parameter
  • Failed authentication attempts followed by exploitation attempts

Network Indicators:

  • Unusual outbound connections from router
  • Traffic spikes to/from router management interface
  • Exploit kit signatures targeting IoT devices

SIEM Query:

source="router.log" AND (uri="/cgi-bin/setMacFilterRules" OR desc_parameter_size>1000)

📊 Metadata

CVE ID: CVE-2024-35398
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-120
Published: May 28, 2024
Last Updated: April 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35398, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)