Details of VAR-202407-2425

ID

VAR-202407-2425

CVE

CVE-2024-7154

TITLE

TOTOLINK of a3700r Vulnerability related to lack of authentication for critical functions in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2024-005110

DESCRIPTION

A vulnerability, which was classified as problematic, was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. Affected is an unknown function of the file /wizard.html of the component Password Reset Handler. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272568. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK of a3700r Firmware has a lack of authentication vulnerability for critical functionality.Information may be tampered with. TOTOLINK A3700R is a wireless router produced by China's TOTOLINK Electronics. Attackers can exploit this vulnerability to modify sensitive information

Trust: 2.16

sources: NVD: CVE-2024-7154 // JVNDB: JVNDB-2024-005110 // CNVD: CNVD-2025-08342

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-08342

AFFECTED PRODUCTS

vendor:	totolink	model:	a3700r	scope:	eq	version:	9.1.2u.5822_b20200513	Trust: 1.0
vendor:	totolink	model:	a3700r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	a3700r	scope:	eq	version:	a3700r firmware 9.1.2u.5822 b20200513	Trust: 0.8
vendor:	totolink	model:	a3700r	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a3700r 9.1.2u.5822 b20200513	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-08342 // JVNDB: JVNDB-2024-005110 // NVD: CVE-2024-7154

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2024-7154
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2024-7154
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2024-005110
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2025-08342
value:	MEDIUM
Trust: 0.6

cna@vuldb.com:	CVE-2024-7154
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2024-005110
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2025-08342
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2024-7154
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2024-7154
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2024-005110
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-08342 // JVNDB: JVNDB-2024-005110 // NVD: CVE-2024-7154 // NVD: CVE-2024-7154

PROBLEMTYPE DATA

problemtype:	CWE-284	Trust: 1.0
problemtype:	CWE-306	Trust: 1.0
problemtype:	Lack of authentication for critical features (CWE-306) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-005110 // NVD: CVE-2024-7154

PATCH

title:

Patch for TOTOLINK A3700R Access Control Error Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/682296

Trust: 0.6

sources: CNVD: CNVD-2025-08342

EXTERNAL IDS

db:	NVD	id:	CVE-2024-7154	Trust: 3.2
db:	VULDB	id:	272568	Trust: 1.8
db:	JVNDB	id:	JVNDB-2024-005110	Trust: 0.8
db:	CNVD	id:	CNVD-2025-08342	Trust: 0.6

sources: CNVD: CNVD-2025-08342 // JVNDB: JVNDB-2024-005110 // NVD: CVE-2024-7154

REFERENCES

url:	https://github.com/abcdefg-png/iot-vulnerable/blob/main/totolink/a3700r/setwizardcfg_changepw.md	Trust: 1.8
url:	https://vuldb.com/?id.272568	Trust: 1.8
url:	https://vuldb.com/?submit.377463	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2024-7154	Trust: 1.4
url:	https://vuldb.com/?ctiid.272568	Trust: 1.0

sources: CNVD: CNVD-2025-08342 // JVNDB: JVNDB-2024-005110 // NVD: CVE-2024-7154

SOURCES

db:	CNVD	id:	CNVD-2025-08342
db:	JVNDB	id:	JVNDB-2024-005110
db:	NVD	id:	CVE-2024-7154

LAST UPDATE DATE

2025-04-26T22:58:40.373000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-08342	date:	2025-04-25T00:00:00
db:	JVNDB	id:	JVNDB-2024-005110	date:	2024-08-13T01:38:00
db:	NVD	id:	CVE-2024-7154	date:	2024-08-08T12:38:38.570

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-08342	date:	2025-04-22T00:00:00
db:	JVNDB	id:	JVNDB-2024-005110	date:	2024-08-13T00:00:00
db:	NVD	id:	CVE-2024-7154	date:	2024-07-28T10:15:01.897