CVE-2025-6393

Name of the Vulnerable Software and Affected Versions: TOTOLINK A702R versions 3.0.0-B20230809.1615 through 4.1.2cu.5232 B20210713 TOTOLINK A3002R versions 3.0.0-B20230809.1615 through 4.1.2cu.5232 B20210713 TOTOLINK A3002RU versions 3.0.0-B20230809.1615 through 4.1.2cu.5232 B20210713 TOTOLINK EX1200T versions 3.0.0-B20230809.1615 through 4.1.2cu.5232 B20210713

Description: A critical issue has been found in the HTTP POST Request Handler component of the affected devices. The problem lies in an unknown function of the file /boafrm/formIPv6Addr, where the manipulation of the submit-url argument leads to a buffer overflow. This can be exploited remotely. The exploit has been publicly disclosed.

Recommendations: For TOTOLINK A702R versions 3.0.0-B20230809.1615 through 4.1.2cu.5232 B20210713, restrict access to the /boafrm/formIPv6Addr file to minimize the risk of exploitation. For TOTOLINK A3002R versions 3.0.0-B20230809.1615 through 4.1.2cu.5232 B20210713, avoid using the submit-url argument in the affected HTTP POST Request Handler until the issue is resolved. For TOTOLINK A3002RU versions 3.0.0-B20230809.1615 through 4.1.2cu.5232 B20210713, consider disabling the HTTP POST Request Handler component temporarily as a workaround. For TOTOLINK EX1200T versions 3.0.0-B20230809.1615 through 4.1.2cu.5232 B20210713, as a temporary mitigation measure, limit remote access to the device until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.