VARIoT IoT vulnerabilities database
| VAR-202511-0003 | CVE-2025-12601 | Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 Denial-of-Service Vulnerabilities |
CVSS V2: 10.0 CVSS V3: 7.5 Severity: HIGH |
Denial of Service Due to SlowLoris.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company.
Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a denial-of-service vulnerability stemming from their susceptibility to the SlowLoris attack. An attacker could exploit this vulnerability to cause a denial-of-service attack
| VAR-202511-0305 | CVE-2025-12600 | An unidentified vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 (CNVD-2025-27469). |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Web UI Malfunction when setting unexpected locale via API.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company.
Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability that attackers could exploit to cause web UI malfunctions
| VAR-202511-0275 | CVE-2025-12599 | An unidentified vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4. |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Multiple Devices are Sharing the Same Secrets for SDKSocket (TCP/5000).This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company.
A security vulnerability exists in both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4. Detailed vulnerability information is not currently available
| VAR-202510-2276 | CVE-2025-63458 | Tenda AX-1803 buffer overflow vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow via the timeZone parameter in the form_fast_setting_wifi_set function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The Tenda AX-1803 is a wireless router manufactured by Tenda, a Chinese company.
Version 1.0.0.1 of the Tenda AX-1803 contains a buffer overflow vulnerability. This vulnerability stems from the fact that the `timeZone` parameter in the `form_fast_setting_wifi_set` function fails to properly validate the length of the input data
| VAR-202510-2641 | CVE-2025-63454 |
CVSS V2: - CVSS V3: 7.5 Severity: HIGH |
Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow via the deviceId parameter in the get_parentControl_list_Info function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.
| VAR-202510-2331 | CVE-2025-63459 | TOTOLINK A7000R sub_421CF0 Function Stack Buffer Overflow Vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink A7000R v9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the ssid5g parameter in the sub_421CF0 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK A7000R is a wireless router launched by TOTOLINK Electronics Co., Ltd. in China. It supports WiFi 7 technology and is suitable for home or small business network environments. This vulnerability stems from the fact that the ssid5g parameter in the sub_421CF0 function fails to properly validate the length of the input data
| VAR-202510-2384 | CVE-2025-63465 | TOTOLINK LR350 sub_422880 Function Stack Buffer Overflow Vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the ssid parameter in the sub_422880 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK Electronics, a Chinese company. It supports converting 4G signals to wired signals and is suitable for home and office use.
The TOTOLINK LR350 contains a stack buffer overflow vulnerability. This vulnerability stems from the fact that the ssid parameter in the sub_422880 function fails to properly validate the length of the input data
| VAR-202510-2383 | CVE-2025-63464 | TOTOLINK LR350 sub_42396C function stack buffer overflow vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the ssid parameter in the sub_42396C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK Electronics, a Chinese company. It supports converting 4G signals to wired signals and is suitable for home and office use.
The TOTOLINK LR350 contains a stack buffer overflow vulnerability. This vulnerability stems from the fact that the ssid parameter in the sub_42396C function fails to properly validate the length of the input data
| VAR-202510-2082 | CVE-2025-63463 | TOTOLINK LR350 sub_4232EC function stack buffer overflow vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the wifiOff parameter in the sub_4232EC function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK Electronics, a Chinese company. It supports converting 4G signals to wired signals and is suitable for home and office use. This vulnerability stems from the fact that the wifiOff parameter in the sub_4232EC function fails to properly validate the length of the input data
| VAR-202510-2332 | CVE-2025-63462 | TOTOLINK A7000R sub_421A04 Function Stack Buffer Overflow Vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink A7000R v9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the wifiOff parameter in the sub_421A04 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK A7000R is a wireless router launched by TOTOLINK Electronics Co., Ltd. in China. It supports WiFi 7 technology and is suitable for home or small business network environments. This vulnerability stems from the fact that the wifiOff parameter in the sub_421A04 function fails to properly validate the length of the input data
| VAR-202510-2144 | CVE-2025-63461 | TOTOLINK A7000R urldecode function stack buffer overflow vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink A7000R v9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the ssid5g parameter in the urldecode function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK A7000R is a wireless router launched by TOTOLINK Electronics Co., Ltd. in China. It supports WiFi 7 technology and is suitable for home or small business network environments. This vulnerability stems from the fact that the ssid5g parameter in the urldecode function fails to properly validate the length of the input data
| VAR-202510-2190 | CVE-2025-63460 | TOTOLINK A7000R sub_4222E0 Function Stack Buffer Overflow Vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink A7000R v9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the ssid5g parameter in the sub_4222E0 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK A7000R is a wireless router launched by TOTOLINK Electronics Co., Ltd. in China. It supports WiFi 7 technology and is suitable for home or small business network environments. This vulnerability stems from the fact that the ssid5g parameter in the sub_4222E0 function fails to properly validate the length of the input data. An attacker could exploit this vulnerability to cause a denial-of-service attack
| VAR-202510-2189 | CVE-2025-63469 | TOTOLINK LR350 sub_421BAC function stack buffer overflow vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the ssid parameter in the sub_421BAC function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK Electronics, a Chinese company. It supports converting 4G signals to wired signals and is suitable for home and office use.
The TOTOLINK LR350 contains a stack buffer overflow vulnerability. This vulnerability stems from the fact that the ssid parameter in the sub_421BAC function fails to properly validate the length of the input data
| VAR-202510-2080 | CVE-2025-63468 | TOTOLINK LR350 http_host parameter stack buffer overflow vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the http_host parameter in the sub_426EF8 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK Electronics, a Chinese company. It supports converting 4G signals to wired signals and is suitable for home and office use. This vulnerability stems from the fact that the `http_host` parameter in the `sub_426EF8` function fails to properly validate the length of the input data
| VAR-202510-2081 | CVE-2025-63467 | TOTOLINK LR350 sub_425400 function stack buffer overflow vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the ssid parameter in the sub_425400 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK, a Chinese electronics company. It supports converting 4G signals to wired signals and is suitable for home and office use.
The TOTOLINK LR350 contains a stack buffer overflow vulnerability. This vulnerability stems from the fact that the ssid parameter in the sub_425400 function fails to properly validate the length of the input data
| VAR-202510-2382 | CVE-2025-63466 | TOTOLINK LR350 sub_426EF8 function stack buffer overflow vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the password parameter in the sub_426EF8 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK, a Chinese electronics company. It supports converting 4G signals to wired signals and is suitable for home and office use. This vulnerability stems from the fact that the `password` parameter in the `sub_426EF8` function fails to properly validate the length of the input data
| VAR-202510-3515 | CVE-2025-12554 | An undiscovered vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 (CNVD-2025-29071). |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Missing Security Headers.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company.
A security vulnerability exists in both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4, stemming from a missing security header. Detailed vulnerability information is not currently available
| VAR-202510-3385 | CVE-2025-12553 | An undiscovered vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 (CNVD-2025-29076). |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Email Server Certificate Verification Disabled.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company.
Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability stemming from the disabling of email server certificate verification. Attackers could exploit this vulnerability to launch a man-in-the-middle attack
| VAR-202510-3993 | CVE-2025-12552 | An unidentified vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 (CNVD-2025-29072). |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Insufficient Password Policy.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company.
Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability stemming from insufficient password policies. Detailed vulnerability information is not currently available
| VAR-202510-2153 | CVE-2025-62232 |
CVSS V2: - CVSS V3: 7.5 Severity: HIGH |
Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access.
It has been fixed in the following commit: https://github.com/apache/apisix/pull/12629
Users are recommended to upgrade to version 3.14, which fixes this issue.