Details of VAR-202504-1154

ID

VAR-202504-1154

CVE

CVE-2025-3663

TITLE

TOTOLINK of a3700r Firmware vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2025-004840

DESCRIPTION

A vulnerability, which was classified as critical, has been found in TOTOLINK A3700R 9.1.2u.5822_B20200513. This issue affects the function setWiFiEasyCfg/setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi of the component Password Handler. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK of a3700r There are unspecified vulnerabilities in the firmware.Information is tampered with and service operation is interrupted (DoS) It may be in a state. TOTOLINK A3700R is a wireless router that provides wireless network connection function. TOTOLINK A3700R has an improper access control vulnerability, which is caused by the setWiFiEasyCfg/setWiFiEasyGuestCfg function in the /cgi-bin/cstecgi.cgi file failing to properly handle specific requests. No detailed vulnerability details are currently provided

Trust: 2.16

sources: NVD: CVE-2025-3663 // JVNDB: JVNDB-2025-004840 // CNVD: CNVD-2025-14780

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-14780

AFFECTED PRODUCTS

vendor:	totolink	model:	a3700r	scope:	eq	version:	9.1.2u.5822_b20200513	Trust: 1.0
vendor:	totolink	model:	a3700r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	a3700r	scope:	eq	version:	a3700r firmware 9.1.2u.5822 b20200513	Trust: 0.8
vendor:	totolink	model:	a3700r	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a3700r 9.1.2u.5822 b20200513	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-14780 // JVNDB: JVNDB-2025-004840 // NVD: CVE-2025-3663

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2025-3663
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2025-3663
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2025-004840
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2025-14780
value:	MEDIUM
Trust: 0.6

cna@vuldb.com:	CVE-2025-3663
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2025-004840
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2025-14780
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2025-3663
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2025-3663
baseSeverity:	HIGH
baseScore:	8.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	4.2
version:	3.1
Trust: 1.0
NVD:	JVNDB-2025-004840
baseSeverity:	HIGH
baseScore:	8.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-14780 // JVNDB: JVNDB-2025-004840 // NVD: CVE-2025-3663 // NVD: CVE-2025-3663

PROBLEMTYPE DATA

problemtype:	CWE-284	Trust: 1.0
problemtype:	CWE-266	Trust: 1.0
problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Improper permission settings (CWE-266) [ others ]	Trust: 0.8
problemtype:	Inappropriate access control (CWE-284) [ others ]	Trust: 0.8
problemtype:	Lack of information (CWE-noinfo) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-004840 // NVD: CVE-2025-3663

EXTERNAL IDS

db:	NVD	id:	CVE-2025-3663	Trust: 3.2
db:	VULDB	id:	304841	Trust: 2.4
db:	JVNDB	id:	JVNDB-2025-004840	Trust: 0.8
db:	CNVD	id:	CNVD-2025-14780	Trust: 0.6

sources: CNVD: CNVD-2025-14780 // JVNDB: JVNDB-2025-004840 // NVD: CVE-2025-3663

REFERENCES

url:	https://vuldb.com/?id.304841	Trust: 2.4
url:	https://lavender-bicycle-a5a.notion.site/totolink-a3700r-setwifieasycfg-1cb53a41781f809f807efe1284f5eb1a?pvs=4	Trust: 1.8
url:	https://vuldb.com/?submit.551295	Trust: 1.8
url:	https://www.totolink.net/	Trust: 1.8
url:	https://vuldb.com/?ctiid.304841	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2025-3663	Trust: 0.8

sources: CNVD: CNVD-2025-14780 // JVNDB: JVNDB-2025-004840 // NVD: CVE-2025-3663

SOURCES

db:	CNVD	id:	CNVD-2025-14780
db:	JVNDB	id:	JVNDB-2025-004840
db:	NVD	id:	CVE-2025-3663

LAST UPDATE DATE

2025-07-04T23:41:23.002000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-14780	date:	2025-07-02T00:00:00
db:	JVNDB	id:	JVNDB-2025-004840	date:	2025-05-13T12:50:00
db:	NVD	id:	CVE-2025-3663	date:	2025-05-12T19:50:03.073

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-14780	date:	2025-07-02T00:00:00
db:	JVNDB	id:	JVNDB-2025-004840	date:	2025-05-13T00:00:00
db:	NVD	id:	CVE-2025-3663	date:	2025-04-16T03:15:17.680