What is the CVSS score of CVE-2025-6400?

CVE-2025-6400 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.5%.

Which versions of N300rh Firmware are affected by CVE-2025-6400?

A critical remote code execution vulnerability affects TOTOLIK N300RH routers (CVE-2025-6400) with a publicly available exploit and no vendor patch available.

Is there a public PoC exploit available for CVE-2025-6400?

Yes, a public proof-of-concept exploit is available for CVE-2025-6400. Prioritise patching immediately. EPSS: 0.5%.

How to fix or mitigate CVE-2025-6400?

Within 24 hours: Inventory all TOTOLINK N300RH devices in production and isolate affected units from critical networks if possible. Within 7 days: Implement network segmentation to restrict direct internet access to affected routers and deploy WAF/IDS rules to block malicious POST requests to /boafrm/formPortFw endpoint. Within 30 days: Evaluate replacement with patched router models from TOTOLINK or alternative vendors, and establish vendor communication protocol for patch availability updates.

N300rh Firmware CVE-2025-6400

EUVD-2025-18805 HIGH

Buffer Overflow (CWE-119)

2025-06-21 cna@vuldb.com

RCE Buffer Overflow TP-Link N300rh Firmware TOTOLINK

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 21:35 euvd

EUVD-2025-18805

Analysis Generated

Mar 15, 2026 - 21:35 vuln.today

PoC Detected

Jun 25, 2025 - 20:13 vuln.today

Public exploit code

CVE Published

Jun 21, 2025 - 06:15 nvd

HIGH 8.8

DescriptionNVD

A vulnerability was found in TOTOLINK N300RH 6.1c.1390_B20191101 and classified as critical. Affected by this issue is some unknown functionality of the file /boafrm/formPortFw of the component HTTP POST Message Handler. The manipulation of the argument service_type leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-6400 is a critical buffer overflow vulnerability in TOTOLINK N300RH router firmware version 6.1c.1390_B20191101, exploitable via HTTP POST requests to the /boafrm/formPortFw endpoint through manipulation of the service_type parameter. An authenticated attacker can remotely trigger this vulnerability to achieve complete system compromise (confidentiality, integrity, and availability). Public exploit code is available and the vulnerability meets criteria for active exploitation risk due to disclosed POC and remote exploitability from an authenticated state.

Technical ContextAI

The vulnerability exists in the HTTP POST message handler component of TOTOLINK's web management interface, specifically in the port forwarding configuration endpoint (/boafrm/formPortFw). The root cause is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), a classic buffer overflow flaw where user-supplied input in the 'service_type' parameter is not properly validated before being written to a fixed-size buffer on the stack or heap. The affected product is a residential WiFi router running a proprietary firmware stack with a web-based management interface. The HTTP POST handler parses incoming form data without adequate bounds checking, allowing an authenticated user to overflow adjacent memory regions and potentially achieve arbitrary code execution or denial of service.

RemediationAI

Immediate actions: (1) TOTOLINK should release a patched firmware version addressing the buffer overflow in the formPortFw handler; no specific patch version is referenced in available data, requiring vendor contact for timeline. (2) Users should disable remote management/web access if not required, restricting web interface access to local LAN only via firewall rules. (3) Implement strong authentication (change default credentials) to reduce risk from credential-based attacks. (4) Monitor for suspicious POST requests to /boafrm/formPortFw endpoint. (5) Consider replacing the router with an alternative vendor if TOTOLIK cannot provide a timely patch. (6) If web management must be exposed, place behind a VPN or firewall restricting access to trusted IPs. Contact TOTOLINK support directly for patch availability and release timelines; as of this analysis, no public patch link is confirmed.