CVE-2025-4829: TOTOLINK A702R/A3002R/A3002RU HTTP POST Request formStats sub_40BE30 buffer overflow
Description
A vulnerability classified as critical was found in TOTOLINK A702R, A3002R and A3002RU 3.0.0-B20230809.1615. Affected by this vulnerability is the function sub_40BE30 of the file /boafrm/formStats of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. In TOTOLINK A702R, A3002R and A3002RU 3.0.0-B20230809.1615 wurde eine kritische Schwachstelle entdeckt. Es geht um die Funktion sub_40BE30 der Datei /boafrm/formStats der Komponente HTTP POST Request Handler. Durch Manipulieren des Arguments submit-url mit unbekannten Daten kann eine buffer overflow-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
Classification
CVE ID: CVE-2025-4829
CVSS Base Severity: HIGH
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products
Vendor: TOTOLINK
Product: A702R, A3002R, A3002RU
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.14% (probability of being exploited)
EPSS Percentile: 35.8% (scored less or equal to compared to others)
EPSS Date: 2025-06-15 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-4829https://vuldb.com/?id.309295
https://vuldb.com/?ctiid.309295
https://vuldb.com/?submit.574599
https://github.com/CH13hh/tmp_store_cc/blob/main/toto/7.md
https://www.totolink.net/