cnvd - cnvd-2025-17706

CNVD-2025-17706

Vulnerability from cnvd - Published: 2025-08-07

Title

TOTOLINK N300RH拒绝服务漏洞

Description

TOTOLINK N300RH是中国吉翁电子（TOTOLINK）推出的长距离无线路由器，支持IEEE 802.11n标准，最高无线传输速率达300Mbps。 TOTOLINK N300RH存在拒绝服务漏洞，该漏洞源于文件/boafrm/formFilter中参数url的错误操作，攻击者可利用该漏洞导致拒绝服务。

Severity

低

Formal description

目前厂商尚未发布升级程序修复该安全问题，详情见厂商官网： https://www.totolink.net/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-6401

Impacted products

Name
TOTOLINK N300RH 6.1c.1390_B20191101

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-6401",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-6401"
    }
  },
  "description": "TOTOLINK N300RH\u662f\u4e2d\u56fd\u5409\u7fc1\u7535\u5b50\uff08TOTOLINK\uff09\u63a8\u51fa\u7684\u957f\u8ddd\u79bb\u65e0\u7ebf\u8def\u7531\u5668\uff0c\u652f\u6301IEEE 802.11n\u6807\u51c6\uff0c\u6700\u9ad8\u65e0\u7ebf\u4f20\u8f93\u901f\u7387\u8fbe300Mbps\u3002\n\nTOTOLINK N300RH\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u6587\u4ef6/boafrm/formFilter\u4e2d\u53c2\u6570url\u7684\u9519\u8bef\u64cd\u4f5c\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://www.totolink.net/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-17706",
  "openTime": "2025-08-07",
  "products": {
    "product": "TOTOLINK N300RH 6.1c.1390_B20191101"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-6401",
  "serverity": "\u4f4e",
  "submitTime": "2025-07-08",
  "title": "TOTOLINK N300RH\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

CVE-2025-6401 (GCVE-0-2025-6401)

Vulnerability from cvelistv5 – Published: 2025-06-21 06:31 – Updated: 2025-06-23 19:27

Title

TOTOLINK N300RH HTTP POST Message formFilter denial of service

Summary

A vulnerability was found in TOTOLINK N300RH 6.1c.1390_B20191101. It has been classified as problematic. This affects an unknown part of the file /boafrm/formFilter of the component HTTP POST Message Handler. The manipulation of the argument url leads to denial of service. The exploit has been disclosed to the public and may be used.

Severity ?

5.1 (Medium)


                        
                          CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

3.5 (Low)


                        
                          CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R

3.5 (Low)


                        
                          CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R

CWE

CWE-404 - Denial of Service

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.313395	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.313395	signaturepermissions-required
	https://vuldb.com/?submit.597688	third-party-advisory
	https://github.com/d2pq/cve/blob/main/616/21.md	related
	https://github.com/d2pq/cve/blob/main/616/21.md#poc	exploit
	https://www.totolink.net/	product

Impacted products

	Vendor	Product	Version
	TOTOLINK	N300RH	Affected: 6.1c.1390_B20191101

Credits

yuhongxiang (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-6401",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-23T16:09:27.308682Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-23T19:27:48.226Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/d2pq/cve/blob/main/616/21.md"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "HTTP POST Message Handler"
          ],
          "product": "N300RH",
          "vendor": "TOTOLINK",
          "versions": [
            {
              "status": "affected",
              "version": "6.1c.1390_B20191101"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "yuhongxiang (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in TOTOLINK N300RH 6.1c.1390_B20191101. It has been classified as problematic. This affects an unknown part of the file /boafrm/formFilter of the component HTTP POST Message Handler. The manipulation of the argument url leads to denial of service. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "Es wurde eine Schwachstelle in TOTOLINK N300RH 6.1c.1390_B20191101 ausgemacht. Sie wurde als problematisch eingestuft. Es betrifft eine unbekannte Funktion der Datei /boafrm/formFilter der Komponente HTTP POST Message Handler. Mittels dem Manipulieren des Arguments url mit unbekannten Daten kann eine denial of service-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 2.3,
            "vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-404",
              "description": "Denial of Service",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-21T06:31:08.227Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-313395 | TOTOLINK N300RH HTTP POST Message formFilter denial of service",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.313395"
        },
        {
          "name": "VDB-313395 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.313395"
        },
        {
          "name": "Submit #597688 | TOTOLINK  N300RH_V4 V6.1c.1390_B20191101 Buffer Overflow",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.597688"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://github.com/d2pq/cve/blob/main/616/21.md"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/d2pq/cve/blob/main/616/21.md#poc"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.totolink.net/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-06-20T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-06-20T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-06-20T12:43:55.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "TOTOLINK N300RH HTTP POST Message formFilter denial of service"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-6401",
    "datePublished": "2025-06-21T06:31:08.227Z",
    "dateReserved": "2025-06-20T10:38:48.055Z",
    "dateUpdated": "2025-06-23T19:27:48.226Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-17706

CVE-2025-6401 (GCVE-0-2025-6401)

Tags

Sightings

Nomenclature