Details of VAR-202508-0716

ID

VAR-202508-0716

CVE

CVE-2025-51452

TITLE

TOTOLINK of a7000r Firmware vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2025-011657

DESCRIPTION

In TOTOLINK A7000R firmware 9.1.0u.6115_B20201022, an attacker can bypass login by sending a specific request through formLoginAuth.htm. TOTOLINK of a7000r There are unspecified vulnerabilities in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The TOTOLINK A7000R is a wireless router manufactured by the Chinese company TOTOLINK. The TOTOLINK A7000R suffers from an authentication bypass vulnerability caused by the formLoginAuth.htm file not properly validating login requests. Attackers can exploit this vulnerability to bypass authentication, tamper with system configurations, and potentially insert malware

Trust: 2.16

sources: NVD: CVE-2025-51452 // JVNDB: JVNDB-2025-011657 // CNVD: CNVD-2025-19530

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-19530

AFFECTED PRODUCTS

vendor:	totolink	model:	a7000r	scope:	eq	version:	9.1.0u.6115_b20201022	Trust: 1.0
vendor:	totolink	model:	a7000r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	a7000r	scope:	eq	version:	a7000r firmware 9.1.0u.6115 b20201022	Trust: 0.8
vendor:	totolink	model:	a7000r	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a7000r 9.1.0u.6115 b20201022	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-19530 // JVNDB: JVNDB-2025-011657 // NVD: CVE-2025-51452

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2025-51452
value:	CRITICAL
Trust: 1.0
134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2025-51452
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2025-51452
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2025-19530
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-19530
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2025-51452
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2025-51452
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-19530 // JVNDB: JVNDB-2025-011657 // NVD: CVE-2025-51452 // NVD: CVE-2025-51452

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-288	Trust: 1.0
problemtype:	Authentication Bypass Using Alternate Paths or Channels (CWE-288) [ others ]	Trust: 0.8
problemtype:	Lack of information (CWE-noinfo) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-011657 // NVD: CVE-2025-51452

PATCH

title:

Patch for TOTOLINK A7000R authentication bypass vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/722706

Trust: 0.6

sources: CNVD: CNVD-2025-19530

EXTERNAL IDS

db:	NVD	id:	CVE-2025-51452	Trust: 3.2
db:	JVNDB	id:	JVNDB-2025-011657	Trust: 0.8
db:	CNVD	id:	CNVD-2025-19530	Trust: 0.6

sources: CNVD: CNVD-2025-19530 // JVNDB: JVNDB-2025-011657 // NVD: CVE-2025-51452

REFERENCES

url:	https://gist.github.com/lin-3-start/5b20f6fbe3aa0c3fc75f320cd589182a	Trust: 1.8
url:	https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/171/ids/36.html	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2025-51452	Trust: 1.4
url:	http://a7000rfirmware.com	Trust: 1.0

sources: CNVD: CNVD-2025-19530 // JVNDB: JVNDB-2025-011657 // NVD: CVE-2025-51452

SOURCES

db:	CNVD	id:	CNVD-2025-19530
db:	JVNDB	id:	JVNDB-2025-011657
db:	NVD	id:	CVE-2025-51452

LAST UPDATE DATE

2025-08-29T23:24:28.169000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-19530	date:	2025-08-28T00:00:00
db:	JVNDB	id:	JVNDB-2025-011657	date:	2025-08-15T10:06:00
db:	NVD	id:	CVE-2025-51452	date:	2025-08-14T14:15:33.323

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-19530	date:	2025-08-21T00:00:00
db:	JVNDB	id:	JVNDB-2025-011657	date:	2025-08-15T00:00:00
db:	NVD	id:	CVE-2025-51452	date:	2025-08-13T16:15:32.187