VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202508-2470 CVE-2025-53419 Delta Electronics ISPSoft ISP File Parsing Improper Control of Dynamically-Managed Code Remote Code Execution Vulnerability CVSS V2: -
CVSS V3: 7.8
Severity: HIGH
Delta Electronics COMMGR has Code Injection vulnerability. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of ISP files. The issue results from insufficient restriction of dynamically-managed code. An attacker can leverage this vulnerability to execute code in the context of the current process
VAR-202508-2397 CVE-2025-29523 D-Link DSL-7740C ping6 function command injection vulnerability CVSS V2: 8.3
CVSS V3: 7.2
Severity: HIGH
D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the ping6 function. The D-Link DSL-7740C is a modem manufactured by D-Link, a Chinese company. This vulnerability stems from the ping6 function's failure to properly sanitize special characters and commands during command construction. An attacker could exploit this vulnerability to execute arbitrary commands
VAR-202508-2361 CVE-2025-29522 D-Link DSL-7740C ping function command injection vulnerability CVSS V2: 6.4
CVSS V3: 6.5
Severity: MEDIUM
D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the ping function. The D-Link DSL-7740C is a modem manufactured by D-Link, a Chinese company. This vulnerability stems from the ping function's failure to properly sanitize special characters and commands during command construction. An attacker could exploit this vulnerability to execute arbitrary commands
VAR-202508-2450 CVE-2025-29520 D-Link DSL-7740C Maintenance Module Access Control Error Vulnerability CVSS V2: 5.0
CVSS V3: 5.3
Severity: MEDIUM
Incorrect access control in the Maintenance module of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows authenticated attackers with low-level privileges to arbitrarily change the high-privileged account passwords and escalate privileges. The D-Link DSL-7740C is a modem manufactured by D-Link, a Chinese company
VAR-202508-2362 CVE-2025-29519 D-Link DSL-7740C EXE parameter command injection vulnerability CVSS V2: 5.0
CVSS V3: 5.3
Severity: MEDIUM
A command injection vulnerability in the EXE parameter of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to execute arbitrary commands via supplying a crafted GET request. The D-Link DSL-7740C is a modem manufactured by D-Link, a Chinese company
VAR-202508-2377 CVE-2025-29517 D-Link DSL-7740C traceroute6 function command injection vulnerability CVSS V2: 8.3
CVSS V3: 6.8
Severity: MEDIUM
D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the traceroute6 function. The D-Link DSL-7740C is a modem manufactured by D-Link, a Chinese company
VAR-202508-2463 CVE-2025-29516 D-Link DSL-7740C backup function command injection vulnerability CVSS V2: 8.3
CVSS V3: 7.2
Severity: HIGH
D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the backup function. The D-Link DSL-7740C is a modem manufactured by D-Link, a Chinese company
VAR-202508-2398 CVE-2025-29515 D-Link DSL-7740C DELT_file.xgi endpoint access control error vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
Incorrect access control in the DELT_file.xgi endpoint of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to modify arbitrary settings within the device's XML database, including the administrator’s password. The D-Link DSL-7740C is a modem manufactured by D-Link, a Chinese company. The D-Link DSL-7740C, version DSL7740C.V6.TR069.20211230, suffers from an access control vulnerability. This vulnerability stems from improper access control on the DELT_file.xgi endpoint
VAR-202508-2439 CVE-2025-55606 Shenzhen Tenda Technology Co.,Ltd.  of  AX3  Classic buffer overflow vulnerability in firmware CVSS V2: -
CVSS V3: 7.5
Severity: HIGH
Tenda AX3 V16.03.12.10_CN is vulnerable to Buffer Overflow in the fromAdvSetMacMtuWan function via the serverName parameter. Shenzhen Tenda Technology Co.,Ltd. of AX3 Firmware has a classic buffer overflow vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202508-2324 CVE-2025-55605 Shenzhen Tenda Technology Co.,Ltd.  of  AX3  Classic buffer overflow vulnerability in firmware CVSS V2: -
CVSS V3: 7.5
Severity: HIGH
Tenda AX3 V16.03.12.10_CN is vulnerable to Buffer Overflow in the saveParentControlInfo function via the deviceName parameter. Shenzhen Tenda Technology Co.,Ltd. of AX3 Firmware has a classic buffer overflow vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202508-2414 CVE-2025-55603 Shenzhen Tenda Technology Co.,Ltd.  of  AX3  Classic buffer overflow vulnerability in firmware CVSS V2: -
CVSS V3: 7.5
Severity: HIGH
Tenda AX3 V16.03.12.10_CN is vulnerable to Buffer Overflow in the fromSetSysTime function via the ntpServer parameter. Shenzhen Tenda Technology Co.,Ltd. of AX3 Firmware has a classic buffer overflow vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202508-2151 CVE-2025-9309 Shenzhen Tenda Technology Co.,Ltd.  of  AC10  Hardcoded password usage vulnerability in firmware CVSS V2: 1.0
CVSS V3: 2.5
Severity: Low
A vulnerability was found in Tenda AC10 16.03.10.13. Affected is an unknown function of the file /etc_ro/shadow of the component MD5 Hash Handler. Performing manipulation results in hard-coded credentials. The attack needs to be approached locally. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit has been made public and could be used. of AC10 The firmware contains vulnerabilities related to the use of hard-coded passwords and vulnerabilities related to the use of hard-coded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202508-2063 CVE-2025-9299 Shenzhen Tenda Technology Co.,Ltd.  of  m3  Buffer error vulnerability in firmware CVSS V2: 9.0
CVSS V3: 8.8
Severity: High
A vulnerability has been found in Tenda M3 1.0.0.12. Affected by this vulnerability is the function formGetMasterPassengerAnalyseData of the file /goform/getMasterPassengerAnalyseData. The manipulation of the argument Time leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Shenzhen Tenda Technology Co.,Ltd. of m3 The firmware contains a buffer error vulnerability and a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202508-2069 CVE-2025-9298 Shenzhen Tenda Technology Co.,Ltd.  of  m3  Buffer error vulnerability in firmware CVSS V2: 9.0
CVSS V3: 8.8
Severity: High
A flaw has been found in Tenda M3 1.0.0.12. Affected is the function formQuickIndex of the file /goform/QuickIndex. Executing manipulation of the argument PPPOEPassword can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been published and may be used. Shenzhen Tenda Technology Co.,Ltd. of m3 The firmware contains a buffer error vulnerability and a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202508-2214 CVE-2025-55591 TOTOLINK  of  A3002R  Command injection vulnerability in firmware CVSS V2: -
CVSS V3: 9.8
Severity: CRITICAL
TOTOLINK-A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability in the devicemac parameter in the formMapDel endpoint. TOTOLINK of A3002R Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202508-2081 CVE-2025-55590 TOTOLINK  of  A3002R  Command injection vulnerability in firmware CVSS V2: -
CVSS V3: 6.5
Severity: MEDIUM
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an command injection vulnerability via the component bupload.html
VAR-202508-2119 CVE-2025-55589 TOTOLINK  of  A3002R  in the firmware  OS  Command injection vulnerability CVSS V2: -
CVSS V3: 6.5
Severity: MEDIUM
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain multiple OS command injection vulnerabilities via the macstr, bandstr, and clientoff parameters at /boafrm/formMapDelDevice
VAR-202508-2136 CVE-2025-55588 TOTOLINK  of  A3002R  Firmware resource exhaustion vulnerability CVSS V2: -
CVSS V3: 7.5
Severity: HIGH
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the fw_ip parameter at /boafrm/formPortFw. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. TOTOLINK of A3002R Firmware has a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202508-2121 CVE-2025-55587 TOTOLINK  of  A3002R  Firmware resource exhaustion vulnerability CVSS V2: -
CVSS V3: 7.5
Severity: HIGH
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the hostname parameter at /boafrm/formMapDelDevice. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. TOTOLINK of A3002R Firmware has a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202508-2195 CVE-2025-55586 TOTOLINK  of  A3002R  Firmware resource exhaustion vulnerability CVSS V2: -
CVSS V3: 7.5
Severity: HIGH
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the url parameter at /boafrm/formFilter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. TOTOLINK of A3002R Firmware has a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state