
CVE-2025-9533 – TOTOLINK T10 formLoginAuth.htm improper authentication
https://notcve.org/view.php?id=CVE-2025-9533
27 Aug 2025 — A vulnerability has been found in TOTOLINK T10 4.1.8cu.5241_B20210927. Affected is an unknown function of the file /formLoginAuth.htm. The manipulation of the argument authCode with the input 1 leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://vuldb.com/?id.321552 • CWE-287: Improper Authentication •

CVE-2025-9303 – TOTOLINK A720R cstecgi.cgi setParentalRules buffer overflow
https://notcve.org/view.php?id=CVE-2025-9303
21 Aug 2025 — A security flaw has been discovered in TOTOLINK A720R 4.1.5cu.630_B20250509. This issue affects the function setParentalRules of the file /cgi-bin/cstecgi.cgi. Performing manipulation of the argument desc results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. • https://vuldb.com/?id.320908 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •

CVE-2025-55584
https://notcve.org/view.php?id=CVE-2025-55584
18 Aug 2025 — TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain insecure credentials for the telnet service and root account. • https://github.com/goldenGlow21/softwares_PoC/blob/main/A3002R_V4/Telnet/PoC.md • CWE-1391: Use of Weak Credentials •

CVE-2025-55585
https://notcve.org/view.php?id=CVE-2025-55585
18 Aug 2025 — TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an eval injection vulnerability via the eval() function. • https://github.com/goldenGlow21/softwares_PoC/blob/main/A3002R_V4/Eval%20Injection/PoC.md • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •

CVE-2025-55586
https://notcve.org/view.php?id=CVE-2025-55586
18 Aug 2025 — TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the url parameter at /boafrm/formFilter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. • https://github.com/goldenGlow21/softwares_PoC/blob/main/A3002R_V4/Boa%20-%20BOF/formFilter%20PoC.md • CWE-400: Uncontrolled Resource Consumption •

CVE-2025-55587
https://notcve.org/view.php?id=CVE-2025-55587
18 Aug 2025 — TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the hostname parameter at /boafrm/formMapDelDevice. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. • https://github.com/goldenGlow21/softwares_PoC/blob/main/A3002R_V4/Boa%20-%20BOF/formMapDelDevice%20PoC.md • CWE-400: Uncontrolled Resource Consumption •

CVE-2025-55588
https://notcve.org/view.php?id=CVE-2025-55588
18 Aug 2025 — TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the fw_ip parameter at /boafrm/formPortFw. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. • https://github.com/goldenGlow21/softwares_PoC/blob/main/A3002R_V4/Boa%20-%20BOF/formPortFw%20PoC.md • CWE-400: Uncontrolled Resource Consumption •

CVE-2025-55589
https://notcve.org/view.php?id=CVE-2025-55589
18 Aug 2025 — TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain multiple OS command injection vulnerabilities via the macstr, bandstr, and clientoff parameters at /boafrm/formMapDelDevice. • https://github.com/goldenGlow21/softwares_PoC/blob/main/A3002R_V4/Boa%20-%20Command%20Injection/PoC%201.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVE-2025-55590
https://notcve.org/view.php?id=CVE-2025-55590
18 Aug 2025 — TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an command injection vulnerability via the component bupload.html. • https://github.com/goldenGlow21/softwares_PoC/blob/main/A3002R_V4/Boa%20-%20Command%20Injection/PoC%203.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVE-2025-55591
https://notcve.org/view.php?id=CVE-2025-55591
18 Aug 2025 — TOTOLINK-A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability in the devicemac parameter in the formMapDel endpoint. • https://github.com/goldenGlow21/softwares_PoC/blob/main/A3002R_V4/Boa%20-%20Command%20Injection/PoC%202.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •