Details of VAR-202508-2119

ID

VAR-202508-2119

CVE

CVE-2025-55589

TITLE

TOTOLINK of A3002R in the firmware OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2025-012072

DESCRIPTION

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain multiple OS command injection vulnerabilities via the macstr, bandstr, and clientoff parameters at /boafrm/formMapDelDevice. The TOTOLINK A3002R is a wireless router manufactured by China's TOTOLINK Electronics. Its primary function is to provide wireless network connectivity for homes and small offices. Detailed vulnerability details are not available at this time

Trust: 2.16

sources: NVD: CVE-2025-55589 // JVNDB: JVNDB-2025-012072 // CNVD: CNVD-2025-20933

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-20933

AFFECTED PRODUCTS

vendor:	totolink	model:	a3002r	scope:	eq	version:	4.0.0-b20230531.1404	Trust: 1.0
vendor:	totolink	model:	a3002r	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a3002r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	a3002r	scope:	eq	version:	a3002r firmware 4.0.0-b20230531.1404	Trust: 0.8
vendor:	totolink	model:	a3002r v4.0.0-b20230531.1404	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-20933 // JVNDB: JVNDB-2025-012072 // NVD: CVE-2025-55589

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2025-55589
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2025-012072
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2025-20933
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2025-20933
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2025-55589
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.5
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2025-012072
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-20933 // JVNDB: JVNDB-2025-012072 // NVD: CVE-2025-55589

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-012072 // NVD: CVE-2025-55589

EXTERNAL IDS

db:	NVD	id:	CVE-2025-55589	Trust: 3.2
db:	JVNDB	id:	JVNDB-2025-012072	Trust: 0.8
db:	CNVD	id:	CNVD-2025-20933	Trust: 0.6

sources: CNVD: CNVD-2025-20933 // JVNDB: JVNDB-2025-012072 // NVD: CVE-2025-55589

REFERENCES

url:	https://github.com/goldenglow21/softwares_poc/blob/main/a3002r_v4/boa%20-%20command%20injection/poc%201.md	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2025-55589	Trust: 0.8

sources: CNVD: CNVD-2025-20933 // JVNDB: JVNDB-2025-012072 // NVD: CVE-2025-55589

SOURCES

db:	CNVD	id:	CNVD-2025-20933
db:	JVNDB	id:	JVNDB-2025-012072
db:	NVD	id:	CVE-2025-55589

LAST UPDATE DATE

2025-09-12T23:40:16.674000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-20933	date:	2025-09-10T00:00:00
db:	JVNDB	id:	JVNDB-2025-012072	date:	2025-08-22T03:20:00
db:	NVD	id:	CVE-2025-55589	date:	2025-08-21T14:10:47.240

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-20933	date:	2025-09-10T00:00:00
db:	JVNDB	id:	JVNDB-2025-012072	date:	2025-08-22T00:00:00
db:	NVD	id:	CVE-2025-55589	date:	2025-08-18T20:15:31.190