VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202504-3439 CVE-2025-45428 Shenzhen Tenda Technology Co.,Ltd.  of  AC9  Stack-based buffer overflow vulnerability in firmware CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
In Tenda ac9 v1.0 with firmware V15.03.05.14_multi, the rebootTime parameter of /goform/SetSysAutoRebbotCfg has a stack overflow vulnerability, which can lead to remote arbitrary code execution. Shenzhen Tenda Technology Co.,Ltd. of AC9 A stack-based buffer overflow vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Tenda AC9 has a buffer overflow vulnerability. The vulnerability is caused by the rebootTime parameter of /goform/SetSysAutoRebbotCfg failing to properly verify the length of the input data. Attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service
VAR-202504-3416 CVE-2025-45427 Shenzhen Tenda Technology Co.,Ltd.  of  AC9  Stack-based buffer overflow vulnerability in firmware CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
In Tenda AC9 v1.0 with firmware V15.03.05.14_multi, the security parameter of /goform/WifiBasicSet has a stack overflow vulnerability, which can lead to remote arbitrary code execution. Shenzhen Tenda Technology Co.,Ltd. of AC9 A stack-based buffer overflow vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Tenda AC9 V15.03.05.14_multi has a buffer overflow vulnerability. The vulnerability is caused by the /goform/WifiBasicSet security parameter failing to properly verify the length of the input data
VAR-202504-3410 CVE-2025-29743 D-Link Systems, Inc.  of  DIR-816  Command injection vulnerability in firmware CVSS V2: 6.4
CVSS V3: 6.5
Severity: MEDIUM
D-Link DIR-816 A2V1.1.0B05 was found to contain a command injection in /goform/delRouting. D-Link Systems, Inc. D-Link DIR-816 A2 is a home and small office (SOHO) wireless router launched by D-Link. The vulnerability originates from the /goform/delRouting path. No detailed vulnerability details are provided at this time
VAR-202504-3330 CVE-2025-28039 TOTOLINK  of  ex1200t  in the firmware  OS  Command injection vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
TOTOLINK EX1200T V4.1.2cu.5232_B20210713 was found to contain a pre-auth remote command execution vulnerability in the setUpgradeFW function through the FileName parameter. TOTOLINK of ex1200t The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK EX1200T is a dual-band wireless signal amplifier, mainly used to expand the coverage of existing wireless networks. TOTOLINK EX1200T has a code execution vulnerability. An attacker can exploit this vulnerability to execute arbitrary code on the target system, thereby gaining full control of the system
VAR-202504-3422 CVE-2025-28038 TOTOLINK  of  ex1200t  in the firmware  OS  Command injection vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
TOTOLINK EX1200T V4.1.2cu.5232_B20210713 was found to contain a pre-auth remote command execution vulnerability in the setWebWlanIdx function through the webWlanIdx parameter. TOTOLINK of ex1200t The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK EX1200T is a wireless router from TOTOLINK that provides convenient network connection and management functions. Attackers can use this vulnerability to execute arbitrary commands
VAR-202504-3346 CVE-2025-28036 plural  TOTOLINK  In the product  OS  Command injection vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
TOTOLINK A950RG V4.1.2cu.5161_B20200903 was found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter. a950rg firmware, A810R firmware, a800r firmware etc. TOTOLINK The product has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK A950RG is a gaming router and smart router that supports 2.4GHz and 5GHz dual-band. Attackers can exploit this vulnerability to execute arbitrary commands
VAR-202504-3404 CVE-2025-28035 plural  TOTOLINK  In the product  OS  Command injection vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
TOTOLINK A830R V4.1.2cu.5182_B20201102 was found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter. A830R firmware, A3100R firmware, A810R firmware etc. TOTOLINK The product has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK A830R is a wireless dual-band router from China's TOTOLINK Electronics
VAR-202504-3481 CVE-2025-28029 plural  TOTOLINK  Stack-based buffer overflow vulnerability in products CVSS V2: -
CVSS V3: 7.3
Severity: HIGH
TOTOLINK A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a buffer overflow vulnerability in cstecgi.cgi. A830R firmware, a950rg firmware, A3000RU firmware etc. TOTOLINK The product contains a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202504-3453 CVE-2025-28027 plural  TOTOLINK  Stack-based buffer overflow vulnerability in products CVSS V2: -
CVSS V3: 7.3
Severity: HIGH
TOTOLINK A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 was found to contain a buffer overflow vulnerability in downloadFile.cgi. A830R firmware, a950rg firmware, A3000RU firmware etc. TOTOLINK The product contains a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202504-3475 CVE-2025-28026 plural  TOTOLINK  Stack-based buffer overflow vulnerability in products CVSS V2: -
CVSS V3: 7.3
Severity: HIGH
TOTOLINK A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a buffer overflow vulnerability in downloadFile.cgi. A830R firmware, a950rg firmware, A3000RU firmware etc. TOTOLINK The product contains a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202504-3411 CVE-2025-28037 TOTOLINK  of  A810R  firmware and  a950rg  in the firmware  OS  Command injection vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
TOTOLINK A810R V4.1.2cu.5182_B20201026 and A950RG V4.1.2cu.5161_B20200903 were found to contain a pre-auth remote command execution vulnerability in the setDiagnosisCfg function through the ipDomain parameter. TOTOLINK of A810R firmware and a950rg The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK A950RG and TOTOLINK A810R are both products of China's TOTOLINK Electronics. TOTOLINK A950RG is a super-generation Giga wireless router. TOTOLINK A810R is a wireless dual-band router. Attackers can exploit this vulnerability to execute arbitrary commands
VAR-202504-3390 CVE-2025-28031 TOTOLINK  of  A810R  Hardcoded password usage vulnerability in firmware CVSS V2: 6.1
CVSS V3: 6.5
Severity: MEDIUM
TOTOLINK A810R V4.1.2cu.5182_B20201026 was discovered to contain a hardcoded password for the telnet service in product.ini. TOTOLINK of A810R A vulnerability exists in the firmware related to the use of hardcoded passwords.Information may be obtained and information may be tampered with. TOTOLINK A810R is a wireless dual-band router from China's TOTOLINK Electronics. TOTOLINK A810R V4.1.2cu.5182_B20201026 has a trust management vulnerability, which is caused by a hard-coded password in product.ini. Attackers can exploit this vulnerability to cause authentication errors
VAR-202504-3251 CVE-2025-28030 TOTOLINK  of  A810R  Stack-based buffer overflow vulnerability in firmware CVSS V2: 10.0
CVSS V3: 8.8
Severity: HIGH
TOTOLINK A810R V4.1.2cu.5182_B20201026 was discovered to contain a stack overflow via the startTime and endTime parameters in setParentalRules function. TOTOLINK of A810R A stack-based buffer overflow vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK A810R is a wireless dual-band router from China's TOTOLINK Electronics. TOTOLINK A810R V4.1.2cu.5182_B20201026 has a buffer overflow vulnerability. The vulnerability is caused by the startTime and endTime parameters in the setParentalRules function failing to correctly verify the length of the input data. Remote attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service
VAR-202504-3327 CVE-2025-28024 TOTOLINK  of  A810R  Classic buffer overflow vulnerability in firmware CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
TOTOLINK A810R V4.1.2cu.5182_B20201026 was found to contain a buffer overflow vulnerability in the cstecgi.cgi. TOTOLINK of A810R Firmware has a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK A810R is a wireless dual-band router from China's TOTOLINK Electronics. The vulnerability is caused by cstecgi.cgi failing to correctly verify the length of the input data. Remote attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service
VAR-202504-3389 CVE-2025-28034 plural  TOTOLINK  In the product  OS  Command injection vulnerability CVSS V2: -
CVSS V3: 9.8
Severity: CRITICAL
TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a pre-auth remote command execution vulnerability in the NTPSyncWithHost function through the hostTime parameter. a800r firmware, A810R firmware, A830R firmware etc. TOTOLINK The product has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202504-3329 CVE-2025-28033 plural  TOTOLINK  Stack-based buffer overflow vulnerability in products CVSS V2: -
CVSS V3: 7.3
Severity: HIGH
TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a pre-auth buffer overflow vulnerability in the setNoticeCfg function through the IpTo parameter. a800r firmware, A810R firmware, A830R firmware etc. TOTOLINK The product contains a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202504-3345 CVE-2025-28032 plural  TOTOLINK  Stack-based buffer overflow vulnerability in products CVSS V2: -
CVSS V3: 7.3
Severity: HIGH
TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 contain a pre-auth buffer overflow vulnerability in the setNoticeCfg function through the IpForm parameter. a800r firmware, A810R firmware, A830R firmware etc. TOTOLINK The product contains a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202504-4020 No CVE Netshi Technology Co., Ltd. W1 series routers have unauthorized access vulnerabilities CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Founded in 2016, Netshi Technology Co., Ltd. is a high-tech enterprise focusing on the research, development, production and sales of data communication network equipment. Netshi Technology Co., Ltd.'s W1 series routers have an unauthorized access vulnerability that attackers can exploit to obtain sensitive information.
VAR-202504-3648 No CVE TOSHIBA e-STUDIO4508A has a weak password vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
TOSHIBA e-STUDIO4508A is a high-performance black-and-white digital multifunction printer suitable for office environments, providing printing, copying and scanning functions. ‌ TOSHIBA e-STUDIO4508A has a weak password vulnerability that can be exploited by attackers to obtain sensitive information.
VAR-202504-3808 No CVE Beijing Zhixin Microelectronics Technology Co., Ltd.'s intelligent fusion terminal has industrial control equipment vulnerabilities CVSS V2: 7.2
CVSS V3: -
Severity: HIGH
Beijing Zhixin Microelectronics Technology Co., Ltd. is a high-tech enterprise focusing on the field of microelectronics. Beijing Zhixin Microelectronics Technology Co., Ltd.'s intelligent fusion terminal has an industrial control equipment vulnerability, which can be exploited by attackers to obtain server permissions.