CVE-2024-31814
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
Summary
TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to bypass login through the Form_Login function. This vulnerability is associated with CWE-288: Authentication Bypass Using an Alternate Path or Channel.
Impact
The vulnerability has a high severity with a CVSS v3.1 base score of 8.8. It affects the confidentiality, integrity, and availability of the system, all rated as HIGH. The attack vector is ADJACENT_NETWORK, requiring no user interaction and no privileges. This means an attacker on the same network could potentially gain unauthorized access to the device, compromising sensitive information, modifying data, or disrupting services.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
As of the latest information provided, there is no mention of an available patch for this vulnerability.
Mitigation
While no specific mitigation is provided, general recommendations would include: 1. Limit access to the affected TOTOLINK EX200 devices to trusted networks only. 2. Implement strong network segmentation to isolate these devices. 3. Monitor for any suspicious login attempts or unusual activity on these devices. 4. Consider disabling the Form_Login function if possible and not required for operation. 5. Regularly check for and apply any security updates or patches from TOTOLINK when they become available.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
NVD published the first details for CVE-2024-31814
Feedly found the first article mentioning CVE-2024-31814. See article
Feedly estimated the CVSS score as HIGH
EPSS Score was set to: 0% (Percentile: 8%)
EPSS Score was set to: 0% (Percentile: 8%)
EPSS Score was set to: 0.04% (Percentile: 7.9%)
A CVSS base score of 8.8 has been assigned.