External risk intelligence

TOTOLINK CP900L Hardcoded Password Allows Root Login

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2024-35396

The vulnerability involves a hardcoded password in a telnet service on a consumer networking device. While telnet can be network-reachable, it is typically restricted to local network access or protected by internal firewall controls, and exposing telnet directly to the public internet is considered an uncommon and insecure configuration practice for such devices.

Totolink Cp900l Firmware

4.1.5cu.798_b20221228

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in TOTOLINK CP900L devices, stemming from a hardcoded password that allows unauthorized root-level access via telnet. This could potentially expose sensitive network information or allow for system compromise.

  • Hardcoded password grants root access.
  • Potential for unauthorized system control.
  • Verify device exposure and relevance.

Attack Path

How an attacker could exploit the issue

An attacker can gain unauthorized root access to the device by exploiting a hardcoded password found in the device's configuration files. This vulnerability allows for remote login without needing any prior credentials or special access. Once logged in as root, an attacker could potentially take full control of the device, leading to severe security compromises.

  • Entry requires network access.
  • Trigger point is accessing a configuration file.
  • Resulting risk is full device compromise.

Live Threat

Current exploitation, exposure, and threat context

A hardcoded password for the telnet service could allow unauthorized root access to the device's operating system. This access could be exploited by attackers when the device is configured to expose its telnet service to a network.

  • Unauthorized root access to the device.
  • Network access to the exposed telnet service.
  • Potential for system compromise and data exposure.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in TOTOLINK CP900L devices, stemming from a hardcoded password for the telnet service, requires immediate attention from teams responsible for network infrastructure and device management. The first practical step is to locate all instances of the affected device within the environment, determine their network accessibility and business criticality, and identify the accountable owner for remediation planning.

  • Network and infrastructure teams own this issue.
  • Verify device network reachability and criticality.
  • Plan remote access hardening and firmware updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the TOTOLINK CP900L?

The TOTOLINK CP900L is a networking device often used to provide or extend internet connectivity. It functions as a gateway or router, managing traffic between a local home or office network and the broader internet. Because these devices act as the entry point for network traffic, they are critical for maintaining security boundaries.

How does CVE-2024-35396 allow unauthorized access?

This vulnerability is classified as CWE-798, which involves the use of hardcoded credentials. Specifically, the device firmware contains a preset, unchangeable password for the telnet management service. Because this password is baked into the system software rather than set by a user, an attacker who knows the code can bypass authentication to gain full root-level control over the device.

Do I need to be locally connected to trigger this bug?

No. While the vulnerability affects the telnet service, it does not strictly require local physical access. If the telnet service on the device is configured to listen on a network interface, the hardcoded password can be leveraged by anyone with network reachability to that interface. It is not triggered if telnet is disabled or if the service is blocked by a firewall.

Is my device at risk if it is not facing the internet?

Halo Surface Signal indicates that while the vulnerability is severe, telnet is often restricted to local networks or protected by firewalls. Devices that are not directly exposed to the public internet have a reduced risk profile, as an attacker would first need access to your internal network to reach the telnet service.

What should I do if I manage a TOTOLINK CP900L?

Start by identifying all deployed units to understand your footprint. Check if the telnet service is active and ensure it is not reachable from untrusted networks. Consult the manufacturer for firmware updates that may address the hardcoded credential issue, and consider disabling remote management features like telnet entirely if they are not strictly required for your operations.