Totolink N150rt Firmware

TOTOLINK N150RT 3.4.0 - /boa/formWSC Remote OS Cmd Inject
CVE-2025-6299 4.7 - Medium - June 20, 2025

A vulnerability classified as critical has been found in TOTOLINK N150RT 3.4.0-B20190525. This affects an unknown part of the file /boa/formWSC. The manipulation of the argument targetAPSsid leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Shell injection

TOTOLINK N150RT 3.4.0-B20190525 Remote Buffer Overflow via /boafrm/formWsc
CVE-2025-4462 8.8 - High - May 09, 2025

A vulnerability, which was classified as critical, has been found in TOTOLINK N150RT 3.4.0-B20190525. This issue affects some unknown processing of the file /boafrm/formWsc. The manipulation of the argument localPin leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Classic Buffer Overflow

TOTOLINK N150RT 3.4.0 XSS via Virtual Server Page
CVE-2025-4461 5.4 - Medium - May 09, 2025

A vulnerability classified as problematic was found in TOTOLINK N150RT 3.4.0-B20190525. This vulnerability affects unknown code of the component Virtual Server Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

XSS

TOTOLINK N150RT <3.4.0> remote XSS URL Filter Page
CVE-2025-4460 4.8 - Medium - May 09, 2025

A vulnerability classified as problematic has been found in TOTOLINK N150RT 3.4.0-B20190525. This affects an unknown part of the component URL Filtering Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

XSS

TOTOLINK N150RT 3.4.0-B20190525 XSS via Comment in /home.htm (MAC Filter)
CVE-2025-3996 4.8 - Medium - April 28, 2025

A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /home.htm of the component MAC Filtering Page. The manipulation of the argument Comment leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

XSS

Remote XSS via Hostname in TOTOLINK N150RT 3.4.0-B20190525 LAN Settings
CVE-2025-3995 3.4 - Low - April 28, 2025

A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /boafrm/fromStaticDHCP of the component LAN Settings Page. The manipulation of the argument Hostname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

XSS

XSS via Comment param in TOTOLINK N150RT 3.4.0-B20190525 IP Port Filtering
CVE-2025-3994 3.4 - Low - April 28, 2025

A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been classified as problematic. Affected is an unknown function of the file /home.htm of the component IP Port Filtering. The manipulation of the argument Comment leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

XSS

TOTOLINK N150RT 3.4.0-B20190525 Buffer Overflow via submit-url (Remote Critical)
CVE-2025-3993 8.8 - High - April 28, 2025

A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525 and classified as critical. This issue affects some unknown processing of the file /boafrm/formWsc. The manipulation of the argument submit-url leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Classic Buffer Overflow

TOTOLINK N150RT 3.4.0 B Buffer Overflow via /boafrm/formWlwds (submit-url)
CVE-2025-3992 8.8 - High - April 28, 2025

A vulnerability has been found in TOTOLINK N150RT 3.4.0-B20190525 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formWlwds. The manipulation of the argument submit-url leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Classic Buffer Overflow

TOTOLINK N150RT 3.4.0 critical Buffer Overflow via submit-url in formWdsEncrypt
CVE-2025-3991 8.8 - High - April 28, 2025

A vulnerability, which was classified as critical, was found in TOTOLINK N150RT 3.4.0-B20190525. This affects an unknown part of the file /boafrm/formWdsEncrypt. The manipulation of the argument submit-url leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Classic Buffer Overflow

TOTOLINK N150RT 3.4.0-B20190525: Buffer Overflow in /boafrm/formVlan
CVE-2025-3990 8.8 - High - April 27, 2025

A vulnerability, which was classified as critical, has been found in TOTOLINK N150RT 3.4.0-B20190525. Affected by this issue is some unknown functionality of the file /boafrm/formVlan. The manipulation of the argument submit-url leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Classic Buffer Overflow

TOTOLINK N150RT 3.4.0-B20190525: /boafrm/formStaticDHCP BufOverflow Hostname
CVE-2025-3989 8.8 - High - April 27, 2025

A vulnerability classified as critical was found in TOTOLINK N150RT 3.4.0-B20190525. Affected by this vulnerability is an unknown functionality of the file /boafrm/formStaticDHCP. The manipulation of the argument Hostname leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Classic Buffer Overflow

TOTOLINK N150RT 3.4.0 Buffer Overflow via service_type in formPortFw
CVE-2025-3988 8.8 - High - April 27, 2025

A vulnerability classified as critical has been found in TOTOLINK N150RT 3.4.0-B20190525. Affected is an unknown function of the file /boafrm/formPortFw. The manipulation of the argument service_type leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Classic Buffer Overflow

Command Injection in TOTOLINK N150RT 3.4.0-B20190525 via /boafrm/formWsc localPin
CVE-2025-3987 8.8 - High - April 27, 2025

A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been rated as critical. This issue affects some unknown processing of the file /boafrm/formWsc. The manipulation of the argument localPin leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Command Injection

On certain TOTOLINK Realtek SDK based routers, an authenticated attacker may execute arbitrary OS commands
CVE-2019-19824 - January 27, 2020

On certain TOTOLINK Realtek SDK based routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. This allows for full control over the device's internals. This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, N100RE through 3.4.0, and N302RE 2.0.2.