CVE-2024-35400 – This vulnerability allows remote attackers to c... (How to Fix)

Q: What is the severity of CVE-2024-35400?

CVE-2024-35400 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows remote attackers to cause a stack overflow in TOTOLINK CP900L routers by sending specially crafted requests to the SetPortForwardRules function. Attackers could potentially execute arbitrary code or crash the device. Only users of TOTOLINK CP900L routers with the vulnerable firmware version are affected.

📋 TL;DR

This vulnerability allows remote attackers to cause a stack overflow in TOTOLINK CP900L routers by sending specially crafted requests to the SetPortForwardRules function. Attackers could potentially execute arbitrary code or crash the device. Only users of TOTOLINK CP900L routers with the vulnerable firmware version are affected.

💻 Affected Systems

Products:

TOTOLINK CP900L

Versions: v4.1.5cu.798_B20221228

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web management interface's port forwarding functionality.

📦 What is this software?

Cp900l Firmware by Totolink

View all CVEs affecting Cp900l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, allowing attackers to install malware, pivot to internal networks, or create persistent backdoors.

🟠

Likely Case

Denial of service causing router crashes and network disruption, requiring physical reset or manual intervention to restore functionality.

🟢

If Mitigated

Limited impact with proper network segmentation and firewall rules preventing external access to the vulnerable interface.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to the router's web interface. Public proof-of-concept code is available in GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://totolink.com

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware. 3. Access router web interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Restrict Access with Firewall

linux

Block external access to router management ports

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Segment affected routers in isolated network zones
Implement strict access controls allowing only trusted IPs to access management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under System Status or About page

Check Version:

curl -s http://router-ip/status.cgi | grep firmware

Verify Fix Applied:

Verify firmware version has been updated beyond v4.1.5cu.798_B20221228

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts
Unusual POST requests to /cgi-bin/SetPortForwardRules
Router crash/reboot events

Network Indicators:

Unusual traffic patterns to router management interface
Large payloads sent to port 80/443 of router

SIEM Query:

source="router-logs" AND (uri="/cgi-bin/SetPortForwardRules" OR desc="stack overflow")

📊 Metadata

CVE ID: CVE-2024-35400

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-120

Published: May 28, 2024

Last Updated: April 3, 2025

🔗 References

http://totolink.com Product
https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/TOTOLINK%20CP900L/SetPortForwardRules/README.md Broken Link
http://totolink.com Product
https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/TOTOLINK%20CP900L/SetPortForwardRules/README.md Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35400, you might also want to check these: