Skip to main content

Totolink X5000R EUVDEUVD-2026-28528

| CVE-2026-8137 HIGH
Classic Buffer Overflow (CWE-120)
2026-05-08 VulDB GHSA-8cxw-g3j3-5xpx
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 08, 2026 - 05:31 vuln.today
CVSS changed
May 08, 2026 - 05:22 NVD
8.8 (HIGH) 7.4 (HIGH)
CVE Published
May 08, 2026 - 04:00 nvd
HIGH 7.4

DescriptionCVE.org

A vulnerability has been found in Totolink X5000R 9.1.0u.6369_B20230113. This vulnerability affects the function sub_458E40 of the file /boafrm/formDdns. The manipulation of the argument submit-url leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

AnalysisAI

Buffer overflow in Totolink X5000R 9.1.0u.6369_B20230113 router firmware allows authenticated remote attackers to execute arbitrary code or cause denial of service via crafted submit-url parameter to /boafrm/formDdns endpoint. Public exploit code exists (GitHub). CVSS 7.4 indicates high severity but requires authenticated access (PR:L), limiting immediate risk to environments where router credentials are compromised. EPSS data not available; prioritize if router exposed to internet or untrusted networks.

Technical ContextAI

The vulnerability resides in the sub_458E40 function within the /boafrm/formDdns component of the Totolink X5000R router's web management interface. This is a classic stack-based or heap-based buffer overflow (CWE-120) where the submit-url parameter lacks proper bounds checking before being copied into a fixed-size buffer. DDNS (Dynamic DNS) management interfaces typically accept URL strings for DDNS service providers, and insufficient input validation allows attackers to overflow the buffer with oversized input. The affected CPE (cpe:2.3:a:totolink:x5000r) confirms this is application-level firmware vulnerability in Totolink's router product line. Router web interfaces commonly suffer from memory corruption issues due to embedded systems' use of unsafe C string functions and limited security hardening in legacy firmware.

RemediationAI

No vendor-released patch identified at time of analysis - Totolink has not published a security advisory or updated firmware version addressing CVE-2026-8137 per available references. Until a patch is released, implement these compensating controls: (1) Disable remote web management access entirely if not operationally required - access router administration only from trusted internal networks, eliminating network attack vector (AV:N). Trade-off: loses remote management capability. (2) Change default administrator credentials to strong unique passwords (16+ characters) and enable any available account lockout features to prevent credential brute-forcing. Trade-off: requires password management discipline. (3) Implement network segmentation to isolate router management interface from untrusted VLANs/networks using firewall rules that permit admin access only from specific management workstations. Trade-off: increases network complexity. (4) Monitor router logs for unusual DDNS configuration changes or repeated authentication failures. Trade-off: requires log aggregation infrastructure. (5) Consider replacing device with alternative router models from vendors with active security support if Totolink does not issue timely patch. Monitor VulDB (https://vuldb.com/vuln/361926) and Totolink's site for future security updates.

Share

EUVD-2026-28528 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy