Details of VAR-202506-0952

ID

VAR-202506-0952

CVE

CVE-2025-6139

TITLE

TOTOLINK of t10 Certificate and password management vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-007831

DESCRIPTION

A vulnerability, which was classified as problematic, has been found in TOTOLINK T10 4.1.8cu.5207. Affected by this issue is some unknown functionality of the file /etc/shadow.sample. The manipulation leads to use of hard-coded password. The attack can only be initiated within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. TOTOLINK of t10 The firmware contains vulnerabilities related to certificate and password management, as well as vulnerabilities related to the use of hard-coded passwords.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK T10 is a wireless network system router from China's Jiweng Electronics (TOTOLINK) company. TOTOLINK T10 has a trust management issue vulnerability, which stems from the use of hard-coded passwords in the file /etc/shadow.sample. Attackers can exploit this vulnerability to affect confidentiality, integrity, and availability

Trust: 2.16

sources: NVD: CVE-2025-6139 // JVNDB: JVNDB-2025-007831 // CNVD: CNVD-2025-14270

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-14270

AFFECTED PRODUCTS

vendor:	totolink	model:	t10	scope:	eq	version:	4.1.8cu.5207_b20210320	Trust: 1.0
vendor:	totolink	model:	t10	scope:	eq	version:	t10 firmware 4.1.8cu.5207 b20210320	Trust: 0.8
vendor:	totolink	model:	t10	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	t10	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	t10 4.1.8cu.5207	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-14270 // JVNDB: JVNDB-2025-007831 // NVD: CVE-2025-6139

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2025-6139
value:	LOW
Trust: 1.0
OTHER:	JVNDB-2025-007831
value:	LOW
Trust: 0.8
CNVD:	CNVD-2025-14270
value:	MEDIUM
Trust: 0.6

cna@vuldb.com:	CVE-2025-6139
severity:	LOW
baseScore:	3.7
vectorString:	AV:A/AC:H/AU:M/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	HIGH
authentication:	MULTIPLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	2.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2025-007831
severity:	LOW
baseScore:	3.7
vectorString:	AV:A/AC:H/AU:M/C:P/I:P/A:P
accessVector:	ADJACENT NETWORK
accessComplexity:	HIGH
authentication:	MULTIPLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2025-14270
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:A/AC:H/AU:S/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	HIGH
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	2.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2025-6139
baseSeverity:	LOW
baseScore:	3.9
vectorString:	CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
attackVector:	ADJACENT
attackComplexity:	HIGH
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	0.5
impactScore:	3.4
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2025-007831
baseSeverity:	LOW
baseScore:	3.9
vectorString:	CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
attackVector:	ADJACENT NETWORK
attackComplexity:	HIGH
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-14270 // JVNDB: JVNDB-2025-007831 // NVD: CVE-2025-6139

PROBLEMTYPE DATA

problemtype:	CWE-259	Trust: 1.0
problemtype:	CWE-255	Trust: 1.0
problemtype:	Certificate/password management (CWE-255) [ others ]	Trust: 0.8
problemtype:	Using hardcoded passwords (CWE-259) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-007831 // NVD: CVE-2025-6139

PATCH

title:

Patch for TOTOLINK T10 Trust Management Issue Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/702371

Trust: 0.6

sources: CNVD: CNVD-2025-14270

EXTERNAL IDS

db:	NVD	id:	CVE-2025-6139	Trust: 3.2
db:	VULDB	id:	312608	Trust: 1.8
db:	JVNDB	id:	JVNDB-2025-007831	Trust: 0.8
db:	CNVD	id:	CNVD-2025-14270	Trust: 0.6

sources: CNVD: CNVD-2025-14270 // JVNDB: JVNDB-2025-007831 // NVD: CVE-2025-6139

REFERENCES

url:	https://candle-throne-f75.notion.site/totolink-t10-shadow-20ddf0aa118580f5a455cd5dbc521472	Trust: 1.8
url:	https://vuldb.com/?id.312608	Trust: 1.8
url:	https://vuldb.com/?submit.592922	Trust: 1.8
url:	https://www.totolink.net/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2025-6139	Trust: 1.4
url:	https://vuldb.com/?ctiid.312608	Trust: 1.0

sources: CNVD: CNVD-2025-14270 // JVNDB: JVNDB-2025-007831 // NVD: CVE-2025-6139

SOURCES

db:	CNVD	id:	CNVD-2025-14270
db:	JVNDB	id:	JVNDB-2025-007831
db:	NVD	id:	CVE-2025-6139

LAST UPDATE DATE

2025-07-04T23:42:49.185000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-14270	date:	2025-06-30T00:00:00
db:	JVNDB	id:	JVNDB-2025-007831	date:	2025-07-02T09:16:00
db:	NVD	id:	CVE-2025-6139	date:	2025-06-26T16:27:37.157

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-14270	date:	2025-06-26T00:00:00
db:	JVNDB	id:	JVNDB-2025-007831	date:	2025-07-02T00:00:00
db:	NVD	id:	CVE-2025-6139	date:	2025-06-16T21:15:24.513