PT-2025-16553 · Totolink · Totolink A3700R
Yhryhryhr
·
Published
2025-04-15
·
Updated
2025-04-22
·
CVE-2025-3664
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
TOTOLINK A3700R version 9.1.2u.5822 B20200513
Description
A critical vulnerability was found in the TOTOLINK A3700R, affecting the function
setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls, allowing for remote attacks. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond.Recommendations
As a temporary workaround, consider disabling the
setWiFiEasyGuestCfg function until a patch is available. Restrict access to the /cgi-bin/cstecgi.cgi file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
RCE
Incorrect Privilege Assignment
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Totolink A3700R