Details of VAR-202504-3229

ID

VAR-202504-3229

CVE

CVE-2025-3989

TITLE

TOTOLINK of N150RT Buffer error vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-004763

DESCRIPTION

A vulnerability classified as critical was found in TOTOLINK N150RT 3.4.0-B20190525. Affected by this vulnerability is an unknown functionality of the file /boafrm/formStaticDHCP. The manipulation of the argument Hostname leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. TOTOLINK of N150RT The firmware contains a buffer error vulnerability and a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK N150RT is a wireless router produced by China's TOTOLINK Electronics. The vulnerability is caused by the failure of the parameter Hostname in the file /boafrm/formStaticDHCP to correctly verify the length of the input data. Attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service

Trust: 2.16

sources: NVD: CVE-2025-3989 // JVNDB: JVNDB-2025-004763 // CNVD: CNVD-2025-09853

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-09853

AFFECTED PRODUCTS

vendor:	totolink	model:	n150rt	scope:	eq	version:	3.4.0-b20190525	Trust: 1.0
vendor:	totolink	model:	n150rt	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	n150rt	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	n150rt	scope:	eq	version:	n150rt firmware 3.4.0-b20190525	Trust: 0.8
vendor:	totolink	model:	n150rt 3.4.0-b20190525	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-09853 // JVNDB: JVNDB-2025-004763 // NVD: CVE-2025-3989

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2025-3989
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2025-004763
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2025-09853
value:	HIGH
Trust: 0.6

cna@vuldb.com:	CVE-2025-3989
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2025-004763
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2025-09853
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2025-3989
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2025-004763
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-09853 // JVNDB: JVNDB-2025-004763 // NVD: CVE-2025-3989

PROBLEMTYPE DATA

problemtype:	CWE-120	Trust: 1.0
problemtype:	CWE-119	Trust: 1.0
problemtype:	Buffer error (CWE-119) [ others ]	Trust: 0.8
problemtype:	Classic buffer overflow (CWE-120) [ others ]	Trust: 0.8
problemtype:	Classic buffer overflow (CWE-120) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-004763 // NVD: CVE-2025-3989

PATCH

title:

Patch for TOTOLINK N150RT /boafrm/formStaticDHCP file buffer overflow vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/687736

Trust: 0.6

sources: CNVD: CNVD-2025-09853

EXTERNAL IDS

db:	NVD	id:	CVE-2025-3989	Trust: 3.2
db:	VULDB	id:	306325	Trust: 1.8
db:	JVNDB	id:	JVNDB-2025-004763	Trust: 0.8
db:	CNVD	id:	CNVD-2025-09853	Trust: 0.6

sources: CNVD: CNVD-2025-09853 // JVNDB: JVNDB-2025-004763 // NVD: CVE-2025-3989

REFERENCES

url:	https://github.com/fizz-is-on-the-way/iot_vuls/tree/main/n150rt/bufferoverflow_formstaticdhcp	Trust: 1.8
url:	https://vuldb.com/?id.306325	Trust: 1.8
url:	https://vuldb.com/?submit.557940	Trust: 1.8
url:	https://www.totolink.net/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2025-3989	Trust: 1.4
url:	https://vuldb.com/?ctiid.306325	Trust: 1.0

sources: CNVD: CNVD-2025-09853 // JVNDB: JVNDB-2025-004763 // NVD: CVE-2025-3989

SOURCES

db:	CNVD	id:	CNVD-2025-09853
db:	JVNDB	id:	JVNDB-2025-004763
db:	NVD	id:	CVE-2025-3989

LAST UPDATE DATE

2025-05-17T03:54:02.586000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-09853	date:	2025-05-15T00:00:00
db:	JVNDB	id:	JVNDB-2025-004763	date:	2025-05-13T07:03:00
db:	NVD	id:	CVE-2025-3989	date:	2025-05-12T19:31:35.613

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-09853	date:	2025-05-13T00:00:00
db:	JVNDB	id:	JVNDB-2025-004763	date:	2025-05-13T00:00:00
db:	NVD	id:	CVE-2025-3989	date:	2025-04-27T23:15:14.890