CVE-2025-6337

Name of the Vulnerable Software and Affected Versions: TOTOLINK A3002R and A3002RU versions 3.0.0-B20230809.1615 through 4.0.0-B20230531.1404

Description: A critical vulnerability has been found in the HTTP POST Request Handler of the affected devices. The issue is related to the manipulation of the submit-url argument, which leads to a buffer overflow. This can be exploited remotely. The exploit has been disclosed to the public.

Recommendations: For versions 3.0.0-B20230809.1615 through 4.0.0-B20230531.1404, consider disabling the HTTP POST Request Handler or restricting access to the /boafrm/formTmultiAP file until a patch is available. Avoid using the submit-url argument in the affected HTTP POST Request Handler to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.