Details of VAR-202504-3463

ID

VAR-202504-3463

CVE

CVE-2025-28020

TITLE

TOTOLINK of a800r Classic buffer overflow vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-004360

DESCRIPTION

TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer overflow vulnerability in downloadFile.cgi through the v25 parameter. TOTOLINK of a800r Firmware has a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK A800R is a wireless router from China's TOTOLINK Electronics. The vulnerability is caused by the failure of the v25 parameter in downloadFile.cgi to correctly verify the length of the input data. Remote attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service attack

Trust: 2.16

sources: NVD: CVE-2025-28020 // JVNDB: JVNDB-2025-004360 // CNVD: CNVD-2025-09282

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-09282

AFFECTED PRODUCTS

vendor:	totolink	model:	a800r	scope:	eq	version:	4.1.2cu.5137_b20200730	Trust: 1.0
vendor:	totolink	model:	a800r	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a800r	scope:	eq	version:	a800r firmware 4.1.2cu.5137 b20200730	Trust: 0.8
vendor:	totolink	model:	a800r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	a800r v4.1.2cu.5137 b20200730	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-09282 // JVNDB: JVNDB-2025-004360 // NVD: CVE-2025-28020

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2025-28020
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2025-004360
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2025-09282
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-09282
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2025-28020
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	3.4
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2025-004360
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-09282 // JVNDB: JVNDB-2025-004360 // NVD: CVE-2025-28020

PROBLEMTYPE DATA

problemtype:	CWE-120	Trust: 1.0
problemtype:	Classic buffer overflow (CWE-120) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-004360 // NVD: CVE-2025-28020

EXTERNAL IDS

db:	NVD	id:	CVE-2025-28020	Trust: 3.2
db:	JVNDB	id:	JVNDB-2025-004360	Trust: 0.8
db:	CNVD	id:	CNVD-2025-09282	Trust: 0.6

sources: CNVD: CNVD-2025-09282 // JVNDB: JVNDB-2025-004360 // NVD: CVE-2025-28020

REFERENCES

url:	https://locrian-lightning-dc7.notion.site/bufferoverflow3-1948e5e2b1a280c28ef5c6e54b49324d?pvs=73	Trust: 1.8
url:	https://locrian-lightning-dc7.notion.site/cve-2025-28020-bufferoverflow3-1948e5e2b1a280c28ef5c6e54b49324d	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2025-28020	Trust: 1.4

sources: CNVD: CNVD-2025-09282 // JVNDB: JVNDB-2025-004360 // NVD: CVE-2025-28020

SOURCES

db:	CNVD	id:	CNVD-2025-09282
db:	JVNDB	id:	JVNDB-2025-004360
db:	NVD	id:	CVE-2025-28020

LAST UPDATE DATE

2025-05-10T23:09:58.827000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-09282	date:	2025-05-09T00:00:00
db:	JVNDB	id:	JVNDB-2025-004360	date:	2025-05-07T05:30:00
db:	NVD	id:	CVE-2025-28020	date:	2025-05-06T20:35:33.377

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-09282	date:	2025-05-08T00:00:00
db:	JVNDB	id:	JVNDB-2025-004360	date:	2025-05-07T00:00:00
db:	NVD	id:	CVE-2025-28020	date:	2025-04-23T17:16:53.027