EUVD-2025-18887CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
A vulnerability was found in TOTOLINK A702R, A3002R, A3002RU and EX1200T 3.0.0-B20230809.1615/4.0.0-B20230531.1404/4.0.0-B20230721.1521/4.1.2cu.5232_B20210713. It has been classified as critical. Affected is an unknown function of the file /boafrm/formIPv6Addr of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Analysis
CVE-2025-6393 is a critical buffer overflow vulnerability in the HTTP POST request handler of TOTOLINK routers affecting models A702R, A3002R, A3002RU, and EX1200T across multiple firmware versions. An authenticated attacker can exploit this vulnerability by manipulating the 'submit-url' parameter in requests to /boafrm/formIPv6Addr to achieve remote code execution with full system compromise (confidentiality, integrity, and availability impact). The exploit has been publicly disclosed and may be actively exploited in the wild.
Technical Context
The vulnerability exists in the HTTP POST request handler component of TOTOLINK firmware, specifically in the /boafrm/formIPv6Addr endpoint. The affected products utilize embedded web server technology (typically uHTTPd or similar lightweight HTTP daemons common in router firmware) for administrative interface management. The root cause is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), indicating a classic stack or heap buffer overflow where the 'submit-url' parameter lacks proper bounds checking during IPv6 address configuration processing. The vulnerability spans multiple TOTOLINK hardware models (CPE indicators: TOTOLINK A702R, A3002R, A3002RU, EX1200T) with affected firmware versions including 3.0.0-B20230809.1615, 4.0.0-B20230531.1404, 4.0.0-B20230721.1521, and 4.1.2cu.5232_B20210713. This suggests a long-standing code defect present across multiple firmware branches and hardware iterations.
Affected Products
- vendor: TOTOLINK; product: A702R; affected_versions: ['3.0.0-B20230809.1615 and prior'] - vendor: TOTOLINK; product: A3002R; affected_versions: ['4.0.0-B20230531.1404 and prior', '4.0.0-B20230721.1521 and prior'] - vendor: TOTOLINK; product: A3002RU; affected_versions: ['4.0.0-B20230531.1404 and prior', '4.0.0-B20230721.1521 and prior'] - vendor: TOTOLINK; product: EX1200T; affected_versions: ['4.1.2cu.5232_B20210713 and prior']
Remediation
Immediate actions: (1) Check TOTOLINK's official support website and advisory channels for firmware updates addressing CVE-2025-6393 for each affected model; firmware versions released after the identified vulnerable versions should be deployed immediately. (2) If patches are unavailable, implement network-level mitigations: restrict access to the router's administrative interface (typically port 80/443) to trusted IP addresses only via firewall rules, disable remote management if enabled, and enforce strong authentication credentials. (3) Monitor for exploitation attempts targeting the /boafrm/formIPv6Addr endpoint with abnormal 'submit-url' parameter values. (4) For organizations unable to patch immediately, consider deploying intrusion detection signatures targeting POST requests to /boafrm/formIPv6Addr with oversized or malformed submit-url parameters. (5) Prioritize patching as this is a pre-authenticated or low-privilege vulnerability with public POC—treat as highest priority maintenance window. Vendor advisory and patch download links should be obtained directly from TOTOLINK's official support portal to verify authenticity.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today