Details of VAR-202405-3829

ID

VAR-202405-3829

CVE

CVE-2024-35398

TITLE

TOTOLINK of CP900L Classic buffer overflow vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2024-021468

DESCRIPTION

TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a stack overflow via the desc parameter in the function setMacFilterRules. TOTOLINK of CP900L Firmware has a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK CP900L is a wireless router from China's TOTOLINK Electronics. TOTOLINK CP900L v4.1.5cu.798_B20221228 has a stack overflow vulnerability. The vulnerability is caused by the failure of the desc parameter in the function setMacFilterRules to correctly verify the length of the input data. Attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service

Trust: 2.16

sources: NVD: CVE-2024-35398 // JVNDB: JVNDB-2024-021468 // CNVD: CNVD-2025-06864

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-06864

AFFECTED PRODUCTS

vendor:	totolink	model:	cp900l	scope:	eq	version:	4.1.5cu.798_b20221228	Trust: 1.0
vendor:	totolink	model:	cp900l	scope:	eq	version:	cp900l firmware 4.1.5cu.798 b20221228	Trust: 0.8
vendor:	totolink	model:	cp900l	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	cp900l	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	cp900l v4.1.5cu.798 b20221228	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-06864 // JVNDB: JVNDB-2024-021468 // NVD: CVE-2024-35398

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2024-35398
value:	CRITICAL
Trust: 1.0
OTHER:	JVNDB-2024-021468
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2025-06864
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-06864
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2024-35398
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2024-021468
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-06864 // JVNDB: JVNDB-2024-021468 // NVD: CVE-2024-35398

PROBLEMTYPE DATA

problemtype:	CWE-120	Trust: 1.0
problemtype:	Classic buffer overflow (CWE-120) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-021468 // NVD: CVE-2024-35398

EXTERNAL IDS

db:	NVD	id:	CVE-2024-35398	Trust: 3.2
db:	JVNDB	id:	JVNDB-2024-021468	Trust: 0.8
db:	CNVD	id:	CNVD-2025-06864	Trust: 0.6

sources: CNVD: CNVD-2025-06864 // JVNDB: JVNDB-2024-021468 // NVD: CVE-2024-35398

REFERENCES

url:	http://totolink.com	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2024-35398	Trust: 1.4
url:	https://github.com/s4ndw1ch136/iot-vuln-reports/blob/main/totolink%20cp900l/setmacfilterrules/readme.md	Trust: 1.0

sources: CNVD: CNVD-2025-06864 // JVNDB: JVNDB-2024-021468 // NVD: CVE-2024-35398

SOURCES

db:	CNVD	id:	CNVD-2025-06864
db:	JVNDB	id:	JVNDB-2024-021468
db:	NVD	id:	CVE-2024-35398

LAST UPDATE DATE

2025-04-11T23:15:09.764000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-06864	date:	2025-04-09T00:00:00
db:	JVNDB	id:	JVNDB-2024-021468	date:	2025-04-04T07:01:00
db:	NVD	id:	CVE-2024-35398	date:	2025-04-03T15:45:28.713

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-06864	date:	2025-04-10T00:00:00
db:	JVNDB	id:	JVNDB-2024-021468	date:	2025-04-04T00:00:00
db:	NVD	id:	CVE-2024-35398	date:	2024-05-28T15:15:09.497