CVE-2025-6402

| EUVD-2025-18808 HIGH
2025-06-21 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 21:35 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 21:35 euvd
EUVD-2025-18808
PoC Detected
Jun 25, 2025 - 20:14 vuln.today
Public exploit code
CVE Published
Jun 21, 2025 - 09:15 nvd
HIGH 8.8

Tags

Buffer Overflow TP-Link RCE X15 Firmware TOTOLINK

Description

A vulnerability was found in TOTOLINK X15 1.0.0-B20230714.1105. It has been declared as critical. This vulnerability affects unknown code of the file /boafrm/formIpv6Setup of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6402 is a critical buffer overflow vulnerability in TOTOLINK X15 firmware version 1.0.0-B20230714.1105 affecting the IPv6 setup HTTP POST handler. An authenticated remote attacker can exploit improper input validation on the 'submit-url' parameter to achieve complete system compromise (confidentiality, integrity, and availability). Public exploit code exists for this vulnerability, increasing real-world exploitation risk.

Technical Context

The vulnerability exists in the HTTP POST request handler for the /boafrm/formIpv6Setup endpoint on TOTOLINK X15 routers. The root cause is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), a classic buffer overflow condition where the 'submit-url' parameter is not properly validated before being written to a fixed-size buffer. This allows an attacker to overflow the buffer, potentially overwriting adjacent memory including function return addresses or heap metadata, enabling arbitrary code execution. The affected component likely uses legacy C-based HTTP form parsing without bounds checking. The attack requires authentication (PR:L in CVSS), limiting exposure but still exploitable by authenticated users or via credential compromise.

Affected Products

TOTOLINK X15 firmware versions up to and including 1.0.0-B20230714.1105. CPE representation: cpe:2.3:o:totolink:x15_firmware:1.0.0-b20230714.1105:*:*:*:*:*:*:*. The X15 is a consumer Wi-Fi router; all deployments running the specified firmware version are affected. Vendor advisory and patch availability must be obtained from TOTOLINK support; no official vendor references provided in standard CVE databases at the time of analysis.

Remediation

Immediate actions: (1) Upgrade firmware to patched version released by TOTOLINK (version number to be confirmed from official vendor advisory—contact TOTOLINK support at support.totolink.net); (2) If patch unavailable, disable remote access to /boafrm/formIpv6Setup via router access control lists or firewall rules; (3) Restrict HTTP administrative access to trusted IP ranges only; (4) Change default credentials and enforce strong authentication; (5) Monitor router logs for POST requests to IPv6 setup endpoints with suspicious 'submit-url' parameters. Vendors: TOTOLINK should release firmware patch prioritized as critical. Users: subscribe to TOTOLINK security advisories and apply patches immediately upon release.

Priority Score

64
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +44
POC: +20

Share

CVE-2025-6402 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy