Description
A security flaw has been discovered in TOTOLINK X2000R up to 2.0.0. The affected element is an unknown function of the file /etc/shadow.sample of the component Administrative Interface. The manipulation results in use of default credentials. Attacking locally is a requirement. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been released to the public and may be exploited.
CVSS breakdown
CVSS 4.0
Attack Vector
Local
Attack Complexity
High
Attack Requirements
None
Privileges Required
Low
User Interaction
None
Confidentiality (Vulnerable System)
Low
Integrity (Vulnerable System)
None
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
E
Physical
CVSS 3.1
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
E
Physical
RL
X
RC
Required
Affected products
- totolink / X2000R2.0 – 2.0
References
- MISChttps://vuldb.com/?id.321691
- MISChttps://vuldb.com/?ctiid.321691
- MISChttps://vuldb.com/?submit.636069
- MISChttps://github.com/XXRicardo/iot-cve/blob/main/TOLOLINK/X2000R-Gh-V2.0.0.md
- MISChttps://github.com/XXRicardo/iot-cve/blob/main/TOLOLINK/X2000R-Gh-V2.0.0.md#steps-to-reproduce
- MISChttps://www.totolink.net/