Details of VAR-202408-0172

ID

VAR-202408-0172

CVE

CVE-2024-7463

TITLE

TOTOLINK of cp900 Classic buffer overflow vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2024-005612

DESCRIPTION

A vulnerability classified as critical was found in TOTOLINK CP900 6.3c.566. This vulnerability affects the function UploadCustomModule of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument File leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-273556. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK of cp900 Firmware has a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK CP900 is a wireless router. Attackers can use this vulnerability to cause the device to crash, execute arbitrary code, gain control of the device, and even further attack other networks or devices

Trust: 2.16

sources: NVD: CVE-2024-7463 // JVNDB: JVNDB-2024-005612 // CNVD: CNVD-2025-12713

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-12713

AFFECTED PRODUCTS

vendor:	totolink	model:	cp900	scope:	eq	version:	6.3c.566	Trust: 1.0
vendor:	totolink	model:	cp900	scope:	eq	version:	cp900 firmware 6.3c.566	Trust: 0.8
vendor:	totolink	model:	cp900	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	cp900	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	cp900 6.3c.566	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-12713 // JVNDB: JVNDB-2024-005612 // NVD: CVE-2024-7463

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2024-7463
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2024-7463
value:	CRITICAL
Trust: 1.0
OTHER:	JVNDB-2024-005612
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2025-12713
value:	HIGH
Trust: 0.6

cna@vuldb.com:	CVE-2024-7463
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2024-005612
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2025-12713
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2024-7463
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2024-7463
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2024-005612
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-12713 // JVNDB: JVNDB-2024-005612 // NVD: CVE-2024-7463 // NVD: CVE-2024-7463

PROBLEMTYPE DATA

problemtype:	CWE-120	Trust: 1.0
problemtype:	Classic buffer overflow (CWE-120) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-005612 // NVD: CVE-2024-7463

EXTERNAL IDS

db:	NVD	id:	CVE-2024-7463	Trust: 3.2
db:	VULDB	id:	273556	Trust: 1.0
db:	JVNDB	id:	JVNDB-2024-005612	Trust: 0.8
db:	CNVD	id:	CNVD-2025-12713	Trust: 0.6

sources: CNVD: CNVD-2025-12713 // JVNDB: JVNDB-2024-005612 // NVD: CVE-2024-7463

REFERENCES

url:	https://github.com/abcdefg-png/iot-vulnerable/blob/main/totolink/cp900/uploadcustommodule.md	Trust: 2.4
url:	https://vuldb.com/?submit.381333	Trust: 2.4
url:	https://vuldb.com/?ctiid.273556	Trust: 1.6
url:	https://vuldb.com/?id.273556	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2024-7463	Trust: 0.8

sources: CNVD: CNVD-2025-12713 // JVNDB: JVNDB-2024-005612 // NVD: CVE-2024-7463

SOURCES

db:	CNVD	id:	CNVD-2025-12713
db:	JVNDB	id:	JVNDB-2024-005612
db:	NVD	id:	CVE-2024-7463

LAST UPDATE DATE

2025-06-19T23:36:23.554000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-12713	date:	2025-06-17T00:00:00
db:	JVNDB	id:	JVNDB-2024-005612	date:	2024-08-19T02:01:00
db:	NVD	id:	CVE-2024-7463	date:	2024-08-15T13:15:55.170

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-12713	date:	2025-06-17T00:00:00
db:	JVNDB	id:	JVNDB-2024-005612	date:	2024-08-19T00:00:00
db:	NVD	id:	CVE-2024-7463	date:	2024-08-05T01:16:07.867