Details of VAR-202405-3995

ID

VAR-202405-3995

CVE

CVE-2024-34218

TITLE

TOTOLINK of cp450 Command injection vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2024-021518

DESCRIPTION

TOTOLINK outdoor CPE CP450 v4.1.0cu.747_B20191224 was discovered to contain a command injection vulnerability in the NTPSyncWithHost function via the hostTime parameter. TOTOLINK of cp450 Firmware contains a command injection vulnerability.Information may be obtained and information may be tampered with. TOTOLINK CPE CP450 is an outdoor wireless client terminal device of China's Jiweng Electronics (TOTOLINK) Company. It is mainly used to provide wireless broadband access services, especially for wireless network coverage in rural or remote areas. The vulnerability is caused by the hostTime parameter of the NTPSyncWithHost method failing to properly filter special characters and commands in the constructed command. No detailed vulnerability details are currently provided

Trust: 2.16

sources: NVD: CVE-2024-34218 // JVNDB: JVNDB-2024-021518 // CNVD: CNVD-2025-12183

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-12183

AFFECTED PRODUCTS

vendor:	totolink	model:	cp450	scope:	eq	version:	4.1.0cu.747_b20191224	Trust: 1.0
vendor:	totolink	model:	cp450	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	cp450	scope:	eq	version:	cp450 firmware 4.1.0cu.747 b20191224	Trust: 0.8
vendor:	totolink	model:	cp450	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	cpe cp450 v4.1.0cu.747 b20191224	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-12183 // JVNDB: JVNDB-2024-021518 // NVD: CVE-2024-34218

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2024-34218
value:	LOW
Trust: 1.0
OTHER:	JVNDB-2024-021518
value:	LOW
Trust: 0.8
CNVD:	CNVD-2025-12183
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2025-12183
severity:	MEDIUM
baseScore:	4.7
vectorString:	AV:N/AC:L/AU:M/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2024-34218
baseSeverity:	LOW
baseScore:	3.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	2.5
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2024-021518
baseSeverity:	LOW
baseScore:	3.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-12183 // JVNDB: JVNDB-2024-021518 // NVD: CVE-2024-34218

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-021518 // NVD: CVE-2024-34218

PATCH

title:

Patch for TOTOLINK CPE CP450 NTPSyncWithHost method command injection vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/695906

Trust: 0.6

sources: CNVD: CNVD-2025-12183

EXTERNAL IDS

db:	NVD	id:	CVE-2024-34218	Trust: 3.2
db:	JVNDB	id:	JVNDB-2024-021518	Trust: 0.8
db:	CNVD	id:	CNVD-2025-12183	Trust: 0.6

sources: CNVD: CNVD-2025-12183 // JVNDB: JVNDB-2024-021518 // NVD: CVE-2024-34218

REFERENCES

url:	https://github.com/n0wstr/iotvuln/tree/main/cp450/ntpsyncwithhost	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2024-34218	Trust: 0.8

sources: CNVD: CNVD-2025-12183 // JVNDB: JVNDB-2024-021518 // NVD: CVE-2024-34218

SOURCES

db:	CNVD	id:	CNVD-2025-12183
db:	JVNDB	id:	JVNDB-2024-021518
db:	NVD	id:	CVE-2024-34218

LAST UPDATE DATE

2025-06-15T23:40:54.282000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-12183	date:	2025-06-12T00:00:00
db:	JVNDB	id:	JVNDB-2024-021518	date:	2025-04-07T07:14:00
db:	NVD	id:	CVE-2024-34218	date:	2025-04-04T14:47:14.257

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-12183	date:	2025-06-11T00:00:00
db:	JVNDB	id:	JVNDB-2024-021518	date:	2025-04-07T00:00:00
db:	NVD	id:	CVE-2024-34218	date:	2024-05-14T15:38:35.720