Details of VAR-202507-3042

ID

VAR-202507-3042

CVE

CVE-2025-44655

TITLE

plural TOTOLINK Vulnerability in the product due to improper permission settings

Trust: 0.8

sources: JVNDB: JVNDB-2025-011054

DESCRIPTION

In TOTOLink A7100RU V7.4, A950RG V5.9, and T10 V5.9, the chroot_local_user option is enabled in the vsftpd.conf. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal network attacks. TOTOLINK of A7100RU firmware, a950rg firmware, t10 The firmware contains an improper permission vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2025-44655 // JVNDB: JVNDB-2025-011054

AFFECTED PRODUCTS

vendor:	totolink	model:	a7100ru	scope:	eq	version:	7.4	Trust: 1.0
vendor:	totolink	model:	a950rg	scope:	eq	version:	5.9	Trust: 1.0
vendor:	totolink	model:	t10	scope:	eq	version:	5.9	Trust: 1.0
vendor:	totolink	model:	a950rg	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a7100ru	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	t10	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2025-011054 // NVD: CVE-2025-44655

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2025-44655
value:	CRITICAL
Trust: 1.0
OTHER:	JVNDB-2025-011054
value:	CRITICAL
Trust: 0.8

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2025-44655
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2025-011054
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2025-011054 // NVD: CVE-2025-44655

PROBLEMTYPE DATA

problemtype:	CWE-266	Trust: 1.0
problemtype:	Improper permission settings (CWE-266) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-011054 // NVD: CVE-2025-44655

EXTERNAL IDS

db:	NVD	id:	CVE-2025-44655	Trust: 2.6
db:	JVNDB	id:	JVNDB-2025-011054	Trust: 0.8

sources: JVNDB: JVNDB-2025-011054 // NVD: CVE-2025-44655

REFERENCES

url:	https://gist.github.com/tpcchecker/d7306649f51ca25e22dd6532546a58f3	Trust: 1.0
url:	http://totolink.com	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2025-44655	Trust: 0.8

sources: JVNDB: JVNDB-2025-011054 // NVD: CVE-2025-44655

SOURCES

db:	JVNDB	id:	JVNDB-2025-011054
db:	NVD	id:	CVE-2025-44655

LAST UPDATE DATE

2025-08-10T23:38:31.533000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2025-011054	date:	2025-08-08T08:14:00
db:	NVD	id:	CVE-2025-44655	date:	2025-08-07T17:58:19.833

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2025-011054	date:	2025-08-08T00:00:00
db:	NVD	id:	CVE-2025-44655	date:	2025-07-21T16:15:29.323