Skip to main content

TOTOLINK CP450 CVE-2026-11554

| EUVD-2026-35177 LOW
Least Privilege Violation (CWE-272)
2026-06-08 VulDB GHSA-j4v3-p9cr-3xhp
Information Disclosure Cp450
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 18:34 vuln.today
Severity Changed
Jun 08, 2026 - 18:22 NVD
MEDIUM LOW
CVSS changed
Jun 08, 2026 - 18:22 NVD
4.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A vulnerability was determined in TOTOLINK CP450 4.1.0cu.747. This vulnerability affects unknown code of the file /etc/vsftpd.conf of the component vsftpd. This manipulation causes least privilege violation. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

Least privilege violation in TOTOLINK CP450 router firmware 4.1.0cu.747 allows low-privileged remote attackers to perform unauthorized integrity-affecting actions via the vsftpd FTP service, whose configuration in /etc/vsftpd.conf grants excessive permissions beyond operational necessity. The vulnerability carries a low CVSS 4.0 score of 2.1, reflecting constrained impact limited to low integrity effects on the vulnerable system with no confidentiality or availability consequence. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Acquire low-privilege FTP credentials
Exploit
Connect to CP450 FTP service remotely
Execution
Exploit vsftpd.conf least privilege misconfiguration
Impact
Access or modify out-of-scope files on device
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid low-privilege account on the TOTOLINK CP450 device's FTP service (PR:L confirmed by CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The overall risk posture is low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained low-privilege FTP credentials for a TOTOLINK CP450 device - through credential stuffing, default credential abuse, or social engineering - connects remotely to the device's FTP service over the network. By exploiting the least privilege misconfiguration in /etc/vsftpd.conf, the attacker accesses or modifies files outside their intended FTP directory scope, potentially overwriting configuration files or injecting content into accessible paths. …
Remediation No vendor-released patch version has been identified in the available data - patch availability per TOTOLINK has not been independently confirmed from the provided references, and the TOTOLINK website (https://www.totolink.net/) did not yield a specific security advisory. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11554 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy