Details of VAR-202012-0495

ID

VAR-202012-0495

CVE

CVE-2020-25499

TITLE

TOTOLINK A3002RU Vulnerability in Microsoft

Trust: 0.8

sources: JVNDB: JVNDB-2020-014451

DESCRIPTION

TOTOLINK A3002RU-V2.0.0 B20190814.1034 allows authenticated remote users to modify the system's 'Run Command'. An attacker can use this functionality to execute arbitrary OS commands on the router. TOTOLINK A3002RU There are vulnerabilities related to lack of authentication, and OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Totolink TOTOLINK A3002RU is a wireless router product from Totolink, Taiwan

Trust: 2.25

sources: NVD: CVE-2020-25499 // JVNDB: JVNDB-2020-014451 // CNVD: CNVD-2020-70958 // VULMON: CVE-2020-25499

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-70958

AFFECTED PRODUCTS

vendor:	totolink	model:	n150rt	scope:	lt	version:	3.4.0-b20201030.1142	Trust: 1.0
vendor:	totolink	model:	n302r plus	scope:	lt	version:	3.4.0-b20201028.2224	Trust: 1.0
vendor:	totolink	model:	n200re-v3	scope:	lt	version:	3.4.0-b20201029.1811	Trust: 1.0
vendor:	totolink	model:	a3002ru-v1	scope:	lt	version:	3.4.0-b20201030.1754	Trust: 1.0
vendor:	totolink	model:	a3002r	scope:	lt	version:	1.1.1-b20200824.0128	Trust: 1.0
vendor:	totolink	model:	n300rh-v3	scope:	lt	version:	3.2.4-b20201029.1838	Trust: 1.0
vendor:	totolink	model:	n200re-v4	scope:	lt	version:	4.0.0-b20200805.1507	Trust: 1.0
vendor:	totolink	model:	n300rt	scope:	lt	version:	3.4.0-b20201026.2033	Trust: 1.0
vendor:	totolink	model:	n210re	scope:	lt	version:	1.0.0-b20201030.2030	Trust: 1.0
vendor:	totolink	model:	a702r-v2	scope:	lt	version:	1.0.0-b20201028.1743	Trust: 1.0
vendor:	totolink	model:	a3002ru-v2	scope:	lt	version:	2.1.1-b20200911.1756	Trust: 1.0
vendor:	totolink	model:	a702r-v3	scope:	lt	version:	1.0.0-b20201103.1713	Trust: 1.0
vendor:	totolink	model:	n100re-v3	scope:	lt	version:	3.4.0-b20201030.0926	Trust: 1.0
vendor:	totolink	model:	n200re-v4	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	n150rt	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a702r-v3	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	n200re-v3	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a702r-v2	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a3002ru-v2	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	n210re	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a3002ru-v1	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	n100re-v3	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a3002r	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a3002ru b20190814.1034	scope:	eq	version:	v2.0.0	Trust: 0.6

sources: CNVD: CNVD-2020-70958 // JVNDB: JVNDB-2020-014451 // NVD: CVE-2020-25499

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-25499
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-25499
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-70958
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202012-763
value:	HIGH
Trust: 0.6
VULMON:	CVE-2020-25499
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-25499
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2020-70958
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-25499
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-25499
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-70958 // VULMON: CVE-2020-25499 // JVNDB: JVNDB-2020-014451 // CNNVD: CNNVD-202012-763 // NVD: CVE-2020-25499

PROBLEMTYPE DATA

problemtype:	CWE-862	Trust: 1.0
problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [NVD Evaluation ]	Trust: 0.8
problemtype:	Lack of authentication (CWE-862) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-014451 // NVD: CVE-2020-25499

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202012-763

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202012-763

PATCH

title:	TOTOLINK in 2020 : Statement about the remote command injection vulnerabilities	url:	https://www.totolink.net/home/index/newsss/id/196.html	Trust: 0.8
title:	Patch for Totolink TOTOLINK A3002RU command injection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/242002	Trust: 0.6
title:	Totolink TOTOLINK A3002RU Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=137268	Trust: 0.6
title:	-	url:	https://github.com/20142995/Goby	Trust: 0.1

sources: CNVD: CNVD-2020-70958 // VULMON: CVE-2020-25499 // JVNDB: JVNDB-2020-014451 // CNNVD: CNNVD-202012-763

EXTERNAL IDS

db:	NVD	id:	CVE-2020-25499	Trust: 3.1
db:	JVNDB	id:	JVNDB-2020-014451	Trust: 0.8
db:	CNVD	id:	CNVD-2020-70958	Trust: 0.6
db:	CNNVD	id:	CNNVD-202012-763	Trust: 0.6
db:	VULMON	id:	CVE-2020-25499	Trust: 0.1

sources: CNVD: CNVD-2020-70958 // VULMON: CVE-2020-25499 // JVNDB: JVNDB-2020-014451 // CNNVD: CNNVD-202012-763 // NVD: CVE-2020-25499

REFERENCES

url:	https://github.com/kdoos/vulnerabilities/blob/main/rce_totolink-a3002ru-v2	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25499	Trust: 2.0
url:	https://www.totolink.net/home/index/newsss/id/196.html	Trust: 1.7
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/862.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/20142995/goby	Trust: 0.1

sources: CNVD: CNVD-2020-70958 // VULMON: CVE-2020-25499 // JVNDB: JVNDB-2020-014451 // CNNVD: CNNVD-202012-763 // NVD: CVE-2020-25499

SOURCES

db:	CNVD	id:	CNVD-2020-70958
db:	VULMON	id:	CVE-2020-25499
db:	JVNDB	id:	JVNDB-2020-014451
db:	CNNVD	id:	CNNVD-202012-763
db:	NVD	id:	CVE-2020-25499

LAST UPDATE DATE

2024-11-23T22:40:50.396000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-70958	date:	2020-12-13T00:00:00
db:	VULMON	id:	CVE-2020-25499	date:	2021-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2020-014451	date:	2021-08-19T06:56:00
db:	CNNVD	id:	CNNVD-202012-763	date:	2022-03-24T00:00:00
db:	NVD	id:	CVE-2020-25499	date:	2024-11-21T05:18:04.130

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-70958	date:	2020-12-13T00:00:00
db:	VULMON	id:	CVE-2020-25499	date:	2020-12-09T00:00:00
db:	JVNDB	id:	JVNDB-2020-014451	date:	2021-08-19T00:00:00
db:	CNNVD	id:	CNNVD-202012-763	date:	2020-12-09T00:00:00
db:	NVD	id:	CVE-2020-25499	date:	2020-12-09T21:15:15.477