VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202511-0003 CVE-2025-12601 Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 Denial-of-Service Vulnerabilities CVSS V2: 10.0
CVSS V3: 7.5
Severity: HIGH
Denial of Service Due to SlowLoris.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a denial-of-service vulnerability stemming from their susceptibility to the SlowLoris attack. An attacker could exploit this vulnerability to cause a denial-of-service attack
VAR-202511-0305 CVE-2025-12600 An unidentified vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 (CNVD-2025-27469). CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
Web UI Malfunction when setting unexpected locale via API.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability that attackers could exploit to cause web UI malfunctions
VAR-202511-0275 CVE-2025-12599 An unidentified vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4. CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
Multiple Devices are Sharing the Same Secrets for SDKSocket (TCP/5000).This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. A security vulnerability exists in both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4. Detailed vulnerability information is not currently available
VAR-202510-2276 CVE-2025-63458 Tenda AX-1803 buffer overflow vulnerability CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow via the timeZone parameter in the form_fast_setting_wifi_set function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The Tenda AX-1803 is a wireless router manufactured by Tenda, a Chinese company. Version 1.0.0.1 of the Tenda AX-1803 contains a buffer overflow vulnerability. This vulnerability stems from the fact that the `timeZone` parameter in the `form_fast_setting_wifi_set` function fails to properly validate the length of the input data
VAR-202510-2641 CVE-2025-63454 CVSS V2: -
CVSS V3: 7.5
Severity: HIGH
Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow via the deviceId parameter in the get_parentControl_list_Info function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.
VAR-202510-2331 CVE-2025-63459 TOTOLINK A7000R sub_421CF0 Function Stack Buffer Overflow Vulnerability CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
Totolink A7000R v9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the ssid5g parameter in the sub_421CF0 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK A7000R is a wireless router launched by TOTOLINK Electronics Co., Ltd. in China. It supports WiFi 7 technology and is suitable for home or small business network environments. This vulnerability stems from the fact that the ssid5g parameter in the sub_421CF0 function fails to properly validate the length of the input data
VAR-202510-2384 CVE-2025-63465 TOTOLINK LR350 sub_422880 Function Stack Buffer Overflow Vulnerability CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the ssid parameter in the sub_422880 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK Electronics, a Chinese company. It supports converting 4G signals to wired signals and is suitable for home and office use. The TOTOLINK LR350 contains a stack buffer overflow vulnerability. This vulnerability stems from the fact that the ssid parameter in the sub_422880 function fails to properly validate the length of the input data
VAR-202510-2383 CVE-2025-63464 TOTOLINK LR350 sub_42396C function stack buffer overflow vulnerability CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the ssid parameter in the sub_42396C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK Electronics, a Chinese company. It supports converting 4G signals to wired signals and is suitable for home and office use. The TOTOLINK LR350 contains a stack buffer overflow vulnerability. This vulnerability stems from the fact that the ssid parameter in the sub_42396C function fails to properly validate the length of the input data
VAR-202510-2082 CVE-2025-63463 TOTOLINK LR350 sub_4232EC function stack buffer overflow vulnerability CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the wifiOff parameter in the sub_4232EC function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK Electronics, a Chinese company. It supports converting 4G signals to wired signals and is suitable for home and office use. This vulnerability stems from the fact that the wifiOff parameter in the sub_4232EC function fails to properly validate the length of the input data
VAR-202510-2332 CVE-2025-63462 TOTOLINK A7000R sub_421A04 Function Stack Buffer Overflow Vulnerability CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
Totolink A7000R v9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the wifiOff parameter in the sub_421A04 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK A7000R is a wireless router launched by TOTOLINK Electronics Co., Ltd. in China. It supports WiFi 7 technology and is suitable for home or small business network environments. This vulnerability stems from the fact that the wifiOff parameter in the sub_421A04 function fails to properly validate the length of the input data
VAR-202510-2144 CVE-2025-63461 TOTOLINK A7000R urldecode function stack buffer overflow vulnerability CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
Totolink A7000R v9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the ssid5g parameter in the urldecode function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK A7000R is a wireless router launched by TOTOLINK Electronics Co., Ltd. in China. It supports WiFi 7 technology and is suitable for home or small business network environments. This vulnerability stems from the fact that the ssid5g parameter in the urldecode function fails to properly validate the length of the input data
VAR-202510-2190 CVE-2025-63460 TOTOLINK A7000R sub_4222E0 Function Stack Buffer Overflow Vulnerability CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
Totolink A7000R v9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the ssid5g parameter in the sub_4222E0 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK A7000R is a wireless router launched by TOTOLINK Electronics Co., Ltd. in China. It supports WiFi 7 technology and is suitable for home or small business network environments. This vulnerability stems from the fact that the ssid5g parameter in the sub_4222E0 function fails to properly validate the length of the input data. An attacker could exploit this vulnerability to cause a denial-of-service attack
VAR-202510-2189 CVE-2025-63469 TOTOLINK LR350 sub_421BAC function stack buffer overflow vulnerability CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the ssid parameter in the sub_421BAC function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK Electronics, a Chinese company. It supports converting 4G signals to wired signals and is suitable for home and office use. The TOTOLINK LR350 contains a stack buffer overflow vulnerability. This vulnerability stems from the fact that the ssid parameter in the sub_421BAC function fails to properly validate the length of the input data
VAR-202510-2080 CVE-2025-63468 TOTOLINK LR350 http_host parameter stack buffer overflow vulnerability CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the http_host parameter in the sub_426EF8 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK Electronics, a Chinese company. It supports converting 4G signals to wired signals and is suitable for home and office use. This vulnerability stems from the fact that the `http_host` parameter in the `sub_426EF8` function fails to properly validate the length of the input data
VAR-202510-2081 CVE-2025-63467 TOTOLINK LR350 sub_425400 function stack buffer overflow vulnerability CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the ssid parameter in the sub_425400 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK, a Chinese electronics company. It supports converting 4G signals to wired signals and is suitable for home and office use. The TOTOLINK LR350 contains a stack buffer overflow vulnerability. This vulnerability stems from the fact that the ssid parameter in the sub_425400 function fails to properly validate the length of the input data
VAR-202510-2382 CVE-2025-63466 TOTOLINK LR350 sub_426EF8 function stack buffer overflow vulnerability CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the password parameter in the sub_426EF8 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK, a Chinese electronics company. It supports converting 4G signals to wired signals and is suitable for home and office use. This vulnerability stems from the fact that the `password` parameter in the `sub_426EF8` function fails to properly validate the length of the input data
VAR-202510-3515 CVE-2025-12554 An undiscovered vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 (CNVD-2025-29071). CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
Missing Security Headers.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. A security vulnerability exists in both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4, stemming from a missing security header. Detailed vulnerability information is not currently available
VAR-202510-3385 CVE-2025-12553 An undiscovered vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 (CNVD-2025-29076). CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
Email Server Certificate Verification Disabled.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability stemming from the disabling of email server certificate verification. Attackers could exploit this vulnerability to launch a man-in-the-middle attack
VAR-202510-3993 CVE-2025-12552 An unidentified vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 (CNVD-2025-29072). CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
Insufficient Password Policy.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability stemming from insufficient password policies. Detailed vulnerability information is not currently available
VAR-202510-2153 CVE-2025-62232 CVSS V2: -
CVSS V3: 7.5
Severity: HIGH
Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access. It has been fixed in the following commit:  https://github.com/apache/apisix/pull/12629 Users are recommended to upgrade to version 3.14, which fixes this issue.