CVE-2025-6916

Name of the Vulnerable Software and Affected Versions: TOTOLINK T6 version 4.1.5cu.748 B20211015

Description: A critical vulnerability was found in the TOTOLINK T6, affecting the Form Login function of the file /formLoginAuth.htm. The manipulation of the authCode/goURL argument leads to missing authentication. The attack must be initiated within the local network. The exploit has been disclosed to the public and may be used.

Recommendations: As a temporary workaround, consider disabling the Form Login function until a patch is available. Restrict access to the /formLoginAuth.htm file to minimize the risk of exploitation. Avoid using the authCode/goURL argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.