Description
A vulnerability was determined in TOTOLINK CP450 4.1.0cu.747. This vulnerability affects unknown code of the file /etc/vsftpd.conf of the component vsftpd. This manipulation causes least privilege violation. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-06-08
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from the manipulation of the /etc/vsftpd.conf configuration file on the TOTOLINK CP450. An attacker can alter the configuration to bypass the intended least‑privilege boundaries of the vsftpd component, potentially enabling higher‑privileged operations such as privileged file access or malformed command execution. The exploit is achievable remotely, and the vulnerability has been publicly disclosed.

Affected Systems

The vulnerability affects TOTOLINK CP450 devices running firmware version 4.1.0cu.747. The flaw is located in the vsftpd component's configuration file /etc/vsftpd.conf. No other product or version information is provided in the CVE record.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, so the current exploitation probability is unknown, but the vulnerability has been publicly disclosed and may already be in use. Because it can be triggered remotely via standard vsftpd connections, the risk to exposed devices is significant. The vulnerability is not listed in the CISA KEV catalog, but its existence in a widely deployed consumer router model warrants immediate attention.

Generated by OpenCVE AI on June 8, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TOTOLINK CP450 firmware to a version that removes the vulnerable vsftpd configuration.
  • If an upgrade cannot be applied immediately, restrict access to the vsftpd service by using firewall rules to allow only trusted IP addresses.
  • Configure vsftpd to run with the minimal privileges required, ensuring that the configuration file permissions enforce least privilege and that no elevated capabilities are granted.

Generated by OpenCVE AI on June 8, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in TOTOLINK CP450 4.1.0cu.747. This vulnerability affects unknown code of the file /etc/vsftpd.conf of the component vsftpd. This manipulation causes least privilege violation. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Title TOTOLINK CP450 vsftpd vsftpd.conf least privilege violation
First Time appeared Totolink
Totolink cp450 Firmware
Weaknesses CWE-266
CWE-272
CPEs cpe:2.3:o:totolink:cp450_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink cp450 Firmware
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink Cp450 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T17:30:11.745Z

Reserved: 2026-06-08T05:45:35.473Z

Link: CVE-2026-11554

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T18:16:32.670

Modified: 2026-06-08T18:16:32.670

Link: CVE-2026-11554

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T19:30:06Z

Weaknesses