N300Rt
Monthly
Buffer overflow in Totolink N300RT router firmware 3.4.0-B20250430 allows authenticated remote attackers with high-privilege administrative access to execute arbitrary code via crafted input to the entry_name parameter in /boafrm/formIpQoS. Public exploit code is available on GitHub demonstrating the vulnerability. EPSS data not provided, but the requirement for high-privilege authentication significantly limits real-world exploitation surface to scenarios where administrative credentials are already compromised.
Buffer overflow in Totolink N300RT 3.4.0-B20250430 enables authenticated remote code execution via the WPS configuration handler. An attacker with administrative credentials (PR:H) can send a crafted localPin parameter to /boafrm/formWsc, overflowing a buffer in the is_cmd_string_valid function (libapmib.so) to execute arbitrary code with full system access (VC:H/VI:H/VA:H). Public proof-of-concept exploit code exists on GitHub (xiaohaiyang-ai/TOTOLINK-N300RT-Buffer-Overflow), increasing weaponization risk despite requiring privileged access. EPSS data not available; no CISA KEV listing indicates exploitation not yet widespread in wild attacks.
Buffer overflow in Totolink N300RT router firmware 3.4.0-B20250430 allows authenticated remote attackers with high-privilege administrative access to execute arbitrary code via crafted input to the entry_name parameter in /boafrm/formIpQoS. Public exploit code is available on GitHub demonstrating the vulnerability. EPSS data not provided, but the requirement for high-privilege authentication significantly limits real-world exploitation surface to scenarios where administrative credentials are already compromised.
Buffer overflow in Totolink N300RT 3.4.0-B20250430 enables authenticated remote code execution via the WPS configuration handler. An attacker with administrative credentials (PR:H) can send a crafted localPin parameter to /boafrm/formWsc, overflowing a buffer in the is_cmd_string_valid function (libapmib.so) to execute arbitrary code with full system access (VC:H/VI:H/VA:H). Public proof-of-concept exploit code exists on GitHub (xiaohaiyang-ai/TOTOLINK-N300RT-Buffer-Overflow), increasing weaponization risk despite requiring privileged access. EPSS data not available; no CISA KEV listing indicates exploitation not yet widespread in wild attacks.