VARIoT IoT vulnerabilities database

VAR-202508-2470 | CVE-2025-53419 | Delta Electronics ISPSoft ISP File Parsing Improper Control of Dynamically-Managed Code Remote Code Execution Vulnerability |
CVSS V2: - CVSS V3: 7.8 Severity: HIGH |
Delta Electronics COMMGR has Code Injection vulnerability. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of ISP files. The issue results from insufficient restriction of dynamically-managed code. An attacker can leverage this vulnerability to execute code in the context of the current process
VAR-202508-2397 | CVE-2025-29523 | D-Link DSL-7740C ping6 function command injection vulnerability |
CVSS V2: 8.3 CVSS V3: 7.2 Severity: HIGH |
D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the ping6 function. The D-Link DSL-7740C is a modem manufactured by D-Link, a Chinese company. This vulnerability stems from the ping6 function's failure to properly sanitize special characters and commands during command construction. An attacker could exploit this vulnerability to execute arbitrary commands
VAR-202508-2361 | CVE-2025-29522 | D-Link DSL-7740C ping function command injection vulnerability |
CVSS V2: 6.4 CVSS V3: 6.5 Severity: MEDIUM |
D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the ping function. The D-Link DSL-7740C is a modem manufactured by D-Link, a Chinese company. This vulnerability stems from the ping function's failure to properly sanitize special characters and commands during command construction. An attacker could exploit this vulnerability to execute arbitrary commands
VAR-202508-2450 | CVE-2025-29520 | D-Link DSL-7740C Maintenance Module Access Control Error Vulnerability |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
Incorrect access control in the Maintenance module of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows authenticated attackers with low-level privileges to arbitrarily change the high-privileged account passwords and escalate privileges. The D-Link DSL-7740C is a modem manufactured by D-Link, a Chinese company
VAR-202508-2362 | CVE-2025-29519 | D-Link DSL-7740C EXE parameter command injection vulnerability |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
A command injection vulnerability in the EXE parameter of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to execute arbitrary commands via supplying a crafted GET request. The D-Link DSL-7740C is a modem manufactured by D-Link, a Chinese company
VAR-202508-2377 | CVE-2025-29517 | D-Link DSL-7740C traceroute6 function command injection vulnerability |
CVSS V2: 8.3 CVSS V3: 6.8 Severity: MEDIUM |
D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the traceroute6 function. The D-Link DSL-7740C is a modem manufactured by D-Link, a Chinese company
VAR-202508-2463 | CVE-2025-29516 | D-Link DSL-7740C backup function command injection vulnerability |
CVSS V2: 8.3 CVSS V3: 7.2 Severity: HIGH |
D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the backup function. The D-Link DSL-7740C is a modem manufactured by D-Link, a Chinese company
VAR-202508-2398 | CVE-2025-29515 | D-Link DSL-7740C DELT_file.xgi endpoint access control error vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Incorrect access control in the DELT_file.xgi endpoint of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to modify arbitrary settings within the device's XML database, including the administrator’s password. The D-Link DSL-7740C is a modem manufactured by D-Link, a Chinese company.
The D-Link DSL-7740C, version DSL7740C.V6.TR069.20211230, suffers from an access control vulnerability. This vulnerability stems from improper access control on the DELT_file.xgi endpoint
VAR-202508-2439 | CVE-2025-55606 | Shenzhen Tenda Technology Co.,Ltd. of AX3 Classic buffer overflow vulnerability in firmware |
CVSS V2: - CVSS V3: 7.5 Severity: HIGH |
Tenda AX3 V16.03.12.10_CN is vulnerable to Buffer Overflow in the fromAdvSetMacMtuWan function via the serverName parameter. Shenzhen Tenda Technology Co.,Ltd. of AX3 Firmware has a classic buffer overflow vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202508-2324 | CVE-2025-55605 | Shenzhen Tenda Technology Co.,Ltd. of AX3 Classic buffer overflow vulnerability in firmware |
CVSS V2: - CVSS V3: 7.5 Severity: HIGH |
Tenda AX3 V16.03.12.10_CN is vulnerable to Buffer Overflow in the saveParentControlInfo function via the deviceName parameter. Shenzhen Tenda Technology Co.,Ltd. of AX3 Firmware has a classic buffer overflow vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202508-2414 | CVE-2025-55603 | Shenzhen Tenda Technology Co.,Ltd. of AX3 Classic buffer overflow vulnerability in firmware |
CVSS V2: - CVSS V3: 7.5 Severity: HIGH |
Tenda AX3 V16.03.12.10_CN is vulnerable to Buffer Overflow in the fromSetSysTime function via the ntpServer parameter. Shenzhen Tenda Technology Co.,Ltd. of AX3 Firmware has a classic buffer overflow vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202508-2151 | CVE-2025-9309 | Shenzhen Tenda Technology Co.,Ltd. of AC10 Hardcoded password usage vulnerability in firmware |
CVSS V2: 1.0 CVSS V3: 2.5 Severity: Low |
A vulnerability was found in Tenda AC10 16.03.10.13. Affected is an unknown function of the file /etc_ro/shadow of the component MD5 Hash Handler. Performing manipulation results in hard-coded credentials. The attack needs to be approached locally. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit has been made public and could be used. of AC10 The firmware contains vulnerabilities related to the use of hard-coded passwords and vulnerabilities related to the use of hard-coded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202508-2063 | CVE-2025-9299 | Shenzhen Tenda Technology Co.,Ltd. of m3 Buffer error vulnerability in firmware |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: High |
A vulnerability has been found in Tenda M3 1.0.0.12. Affected by this vulnerability is the function formGetMasterPassengerAnalyseData of the file /goform/getMasterPassengerAnalyseData. The manipulation of the argument Time leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Shenzhen Tenda Technology Co.,Ltd. of m3 The firmware contains a buffer error vulnerability and a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202508-2069 | CVE-2025-9298 | Shenzhen Tenda Technology Co.,Ltd. of m3 Buffer error vulnerability in firmware |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: High |
A flaw has been found in Tenda M3 1.0.0.12. Affected is the function formQuickIndex of the file /goform/QuickIndex. Executing manipulation of the argument PPPOEPassword can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been published and may be used. Shenzhen Tenda Technology Co.,Ltd. of m3 The firmware contains a buffer error vulnerability and a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202508-2214 | CVE-2025-55591 | TOTOLINK of A3002R Command injection vulnerability in firmware |
CVSS V2: - CVSS V3: 9.8 Severity: CRITICAL |
TOTOLINK-A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability in the devicemac parameter in the formMapDel endpoint. TOTOLINK of A3002R Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202508-2081 | CVE-2025-55590 | TOTOLINK of A3002R Command injection vulnerability in firmware |
CVSS V2: - CVSS V3: 6.5 Severity: MEDIUM |
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an command injection vulnerability via the component bupload.html
VAR-202508-2119 | CVE-2025-55589 | TOTOLINK of A3002R in the firmware OS Command injection vulnerability |
CVSS V2: - CVSS V3: 6.5 Severity: MEDIUM |
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain multiple OS command injection vulnerabilities via the macstr, bandstr, and clientoff parameters at /boafrm/formMapDelDevice
VAR-202508-2136 | CVE-2025-55588 | TOTOLINK of A3002R Firmware resource exhaustion vulnerability |
CVSS V2: - CVSS V3: 7.5 Severity: HIGH |
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the fw_ip parameter at /boafrm/formPortFw. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. TOTOLINK of A3002R Firmware has a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202508-2121 | CVE-2025-55587 | TOTOLINK of A3002R Firmware resource exhaustion vulnerability |
CVSS V2: - CVSS V3: 7.5 Severity: HIGH |
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the hostname parameter at /boafrm/formMapDelDevice. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. TOTOLINK of A3002R Firmware has a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202508-2195 | CVE-2025-55586 | TOTOLINK of A3002R Firmware resource exhaustion vulnerability |
CVSS V2: - CVSS V3: 7.5 Severity: HIGH |
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the url parameter at /boafrm/formFilter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. TOTOLINK of A3002R Firmware has a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state