EUVD-2025-28720CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
A vulnerability was found in TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615/4.0.0-B20230531.1404. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /boafrm/formTmultiAP of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Analysis
CVE-2025-6337 is a critical buffer overflow vulnerability in TOTOLINK A3002R and A3002RU routers affecting versions 3.0.0-B20230809.1615 and 4.0.0-B20230531.1404. An authenticated attacker can exploit the 'submit-url' parameter in the /boafrm/formTmultiAP HTTP POST handler to achieve remote code execution with complete system compromise (confidentiality, integrity, and availability). Public exploit code exists and the vulnerability is exploitable over the network with low complexity.
Technical Context
The vulnerability exists in the HTTP POST request handler component of TOTOLINK's web administration interface, specifically in the /boafrm/formTmultiAP endpoint. The affected parameter 'submit-url' is improperly validated before being written to a fixed-size buffer, resulting in a classic CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) condition. TOTOLINK A3002R/RU are consumer-grade dual-band WiFi routers commonly deployed in small office/home office (SOHO) environments. The vulnerability exists in the router's web UI authentication framework, requiring an attacker to first authenticate but not requiring elevated privileges (L privilege level). The flaw allows stack-based or heap-based buffer overflow depending on implementation, enabling arbitrary code execution with router privileges.
Affected Products
TOTOLINK A3002R (WiFi Router) - versions 3.0.0-B20230809.1615 and 4.0.0-B20230531.1404; TOTOLINK A3002RU (WiFi Router) - versions 3.0.0-B20230809.1615 and 4.0.0-B20230531.1404. CPE identifiers would include cpe:2.3:o:totolink:a3002r_firmware:3.0.0-b20230809.1615:*:*:*:*:*:*:* and cpe:2.3:o:totolink:a3002r_firmware:4.0.0-b20230531.1404:*:*:*:*:*:*:* (and corresponding A3002RU variants). No patch information is provided in the description; vendor advisories should be consulted at TOTOLINK's security page or product support portal.
Remediation
Immediate actions: (1) Check TOTOLINK's official website and security advisory page for patched firmware versions addressing CVE-2025-6337 for A3002R and A3002RU models. (2) If patches are available, update both affected devices immediately via the router's web UI (Settings > Firmware Update) or manual upload of signed firmware binaries. (3) If no patches exist, implement network-level mitigations: disable remote administration access, restrict web UI access to trusted internal IPs only via firewall rules, and enforce strong authentication credentials (change default admin password immediately). (4) Monitor router logs for unauthorized access attempts to /boafrm/formTmultiAP endpoint. (5) Consider isolating affected routers to separate VLAN or network segment if patches are unavailable. Workarounds are limited due to authentication bypass risk; patching is strongly preferred.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today