VARIoT IoT vulnerabilities database
| VAR-202508-2119 | CVE-2025-55589 | TOTOLINK of A3002R in the firmware OS Command injection vulnerability |
CVSS V2: 6.4 CVSS V3: 6.5 Severity: MEDIUM |
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain multiple OS command injection vulnerabilities via the macstr, bandstr, and clientoff parameters at /boafrm/formMapDelDevice. The TOTOLINK A3002R is a wireless router manufactured by China's TOTOLINK Electronics. Its primary function is to provide wireless network connectivity for homes and small offices. Detailed vulnerability details are not available at this time
| VAR-202508-2136 | CVE-2025-55588 | TOTOLINK of A3002R Firmware resource exhaustion vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the fw_ip parameter at /boafrm/formPortFw. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. TOTOLINK of A3002R Firmware has a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state. The TOTOLINK A3002R is a wireless router manufactured by China's TOTOLINK Electronics. Its primary function is to provide wireless network connectivity for homes and small offices. This vulnerability arises from the fw_ip parameter in /boafrm/formPortFw being copied directly into a fixed-length stack buffer without performing length and character checks
| VAR-202508-2121 | CVE-2025-55587 | TOTOLINK of A3002R Firmware resource exhaustion vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the hostname parameter at /boafrm/formMapDelDevice. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. TOTOLINK of A3002R Firmware has a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state. The TOTOLINK A3002R is a wireless router manufactured by China's TOTOLINK Electronics. Its primary function is to provide wireless network connectivity for homes and small offices
| VAR-202508-2195 | CVE-2025-55586 | TOTOLINK of A3002R Firmware resource exhaustion vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the url parameter at /boafrm/formFilter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. TOTOLINK of A3002R Firmware has a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state. The TOTOLINK A3002R is a wireless router manufactured by China's TOTOLINK Electronics. Its primary function is to provide wireless network connectivity for homes and small offices
| VAR-202508-2096 | CVE-2025-55585 | TOTOLINK of A3002R in the firmware Eval Injection vulnerabilities |
CVSS V2: 6.4 CVSS V3: 6.5 Severity: MEDIUM |
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an eval injection vulnerability via the eval() function. The TOTOLINK A3002R is a wireless router manufactured by TOTOLINK Electronics of China. Its primary function is to provide wireless network connectivity for homes and small offices. Detailed vulnerability details are currently unavailable
| VAR-202508-2106 | CVE-2025-55584 | TOTOLINK of A3002R Firmware vulnerability related to the use of weak credentials |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain insecure credentials for the telnet service and root account. TOTOLINK of A3002R The firmware is vulnerable to the use of weak credentials.Information may be obtained. The TOTOLINK A3002R is a wireless router manufactured by the Chinese company TOTOLINK. Its primary function is to provide wireless network connectivity for homes and small offices. Detailed vulnerability details are not available at this time
| VAR-202508-2196 | CVE-2025-57703 | Delta Electronics, INC. of DIAEnergie Cross-site scripting vulnerability in |
CVSS V2: 6.4 CVSS V3: 6.1 Severity: MEDIUM |
DIAEnergie - Reflected Cross-site Scripting. Delta Electronics, INC. It is used to monitor and analyze energy consumption in real time, calculate energy consumption and load characteristics, optimize equipment performance, improve production processes, and maximize energy efficiency.
Delta Electronics DIAEnergie suffers from a cross-site scripting vulnerability caused by improper validation of user-supplied input. No detailed vulnerability details are currently available
| VAR-202508-2118 | CVE-2025-57702 | Delta Electronics, INC. of DIAEnergie Cross-site scripting vulnerability in |
CVSS V2: 6.4 CVSS V3: 6.1 Severity: MEDIUM |
DIAEnergie - Reflected Cross-site Scripting. Delta Electronics, INC. It is used to monitor and analyze energy consumption in real time, calculate energy consumption and load characteristics, optimize equipment performance, improve production processes, and maximize energy efficiency.
Delta Electronics DIAEnergie suffers from a cross-site scripting vulnerability caused by improper validation of user-supplied input. No detailed vulnerability details are currently available
| VAR-202508-2245 | CVE-2025-57701 | Delta Electronics, INC. of DIAEnergie Cross-site scripting vulnerability in |
CVSS V2: 6.4 CVSS V3: 6.1 Severity: MEDIUM |
DIAEnergie - Reflected Cross-site Scripting. Delta Electronics, INC. It is used to monitor and analyze energy consumption in real time, calculate energy consumption and load characteristics, optimize equipment performance, improve production processes, and maximize energy efficiency.
Delta Electronics DIAEnergie suffers from a cross-site scripting vulnerability caused by improper validation of user-supplied input. No detailed vulnerability details are currently available
| VAR-202508-2187 | CVE-2025-57700 | Delta Electronics, INC. of DIAEnergie Cross-site scripting vulnerability in |
CVSS V2: 6.4 CVSS V3: 6.1 Severity: MEDIUM |
DIAEnergie - Stored Cross-site Scripting. Delta Electronics, INC. It is used to monitor and analyze energy consumption in real time, calculate energy consumption and load characteristics, optimize equipment performance, improve production processes, and maximize energy efficiency.
Delta Electronics DIAEnergie suffers from a cross-site scripting vulnerability caused by improper validation of user-supplied input. No detailed vulnerability details are currently available
| VAR-202508-2044 | CVE-2025-9091 | Shenzhen Tenda Technology Co.,Ltd. of AC20 Hardcoded password usage vulnerability in firmware |
CVSS V2: 1.0 CVSS V3: 2.5 Severity: Low |
A security flaw has been discovered in Tenda AC20 16.03.08.12. Affected by this vulnerability is an unknown functionality of the file /etc_ro/shadow. The manipulation leads to hard-coded credentials. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Shenzhen Tenda Technology Co.,Ltd. of AC20 The firmware contains vulnerabilities related to the use of hard-coded passwords and vulnerabilities related to the use of hard-coded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Tenda AC20 is a home router released by Tenda.
The Tenda AC20 suffers from a hardcoded credential vulnerability caused by hardcoded credentials in the /etc_ro/shadow file. This vulnerability could be exploited to compromise confidentiality
| VAR-202508-2009 | CVE-2025-9090 | Shenzhen Tenda Technology Co.,Ltd. of AC20 Injection Vulnerability in Firmware |
CVSS V2: 6.5 CVSS V3: 6.3 Severity: Low |
A vulnerability was identified in Tenda AC20 16.03.08.12. Affected is the function websFormDefine of the file /goform/telnet of the component Telnet Service. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Shenzhen Tenda Technology Co.,Ltd. of AC20 The firmware contains injection and command injection vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability stems from the websFormDefine function in the /goform/telnet file failing to properly sanitize special characters and commands when constructing commands. An attacker could exploit this vulnerability to execute arbitrary commands
| VAR-202508-1954 | CVE-2025-9089 | Shenzhen Tenda Technology Co.,Ltd. of AC20 Buffer error vulnerability in firmware |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: High |
A vulnerability was determined in Tenda AC20 16.03.08.12. This issue affects the function sub_48E628 of the file /goform/SetIpMacBind. The manipulation of the argument list leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Shenzhen Tenda Technology Co.,Ltd. of AC20 The firmware contains a buffer error vulnerability and a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability stems from the failure of the sub_48E628 function parameter list in the /goform/SetIpMacBind file to properly validate the length of input data. An attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service
| VAR-202508-1998 | CVE-2025-9088 | Shenzhen Tenda Technology Co.,Ltd. of AC20 Buffer error vulnerability in firmware |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: High |
A vulnerability was found in Tenda AC20 16.03.08.12. This vulnerability affects the function save_virtualser_data of the file /goform/formSetVirtualSer. The manipulation of the argument list leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. of AC20 The firmware contains a buffer error vulnerability, a stack-based buffer overflow vulnerability, and an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability stems from a failure to properly validate the length of input data in the `save_virtualser_data` function parameter `list` in the `/goform/formSetVirtualSer` file. This vulnerability could allow an attacker to execute arbitrary code or cause a denial of service
| VAR-202508-2027 | CVE-2025-9087 | Shenzhen Tenda Technology Co.,Ltd. of AC20 Buffer error vulnerability in firmware |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: High |
A vulnerability has been found in Tenda AC20 16.03.08.12. This affects the function set_qosMib_list of the file /goform/SetNetControlList of the component SetNetControlList Endpoint. The manipulation of the argument list leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. of AC20 The firmware contains a buffer error vulnerability and a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability stems from a failure to properly validate the length of input data in the set_qosMib_list function parameter list in the /goform/SetNetControlList file. An attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service
| VAR-202508-2732 | No CVE | Ruisikangda Technology Development Co., Ltd.'s MSG2200 has a command execution vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Ruisikangda Technology Development Co., Ltd. is an industry-leading provider of optical network products and system solutions.
A command execution vulnerability exists in Ruisikangda Technology Development Co., Ltd.'s MSG2200, allowing an attacker to execute arbitrary commands.
| VAR-202508-0724 | CVE-2025-9046 | Shenzhen Tenda Technology Co.,Ltd. of AC20 Buffer error vulnerability in firmware |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: High |
A vulnerability was identified in Tenda AC20 16.03.08.12. This issue affects the function sub_46A2AC of the file /goform/setMacFilterCfg. The manipulation of the argument deviceList leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Shenzhen Tenda Technology Co.,Ltd. of AC20 The firmware contains a buffer error vulnerability and a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability stems from the failure of the deviceList parameter in the sub_46A2AC function in the /goform/setMacFilterCfg file to properly validate the length of input data. An attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service
| VAR-202508-0725 | CVE-2025-9026 | D-Link Systems, Inc. of DIR-860L Command injection vulnerability in firmware |
CVSS V2: 7.5 CVSS V3: 7.3 Severity: Medium |
A vulnerability was identified in D-Link DIR-860L 2.04.B04. This affects the function ssdpcgi_main of the file htdocs/cgibin of the component Simple Service Discovery Protocol. The manipulation leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. D-Link Systems, Inc. OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202508-0745 | CVE-2025-9023 | Shenzhen Tenda Technology Co.,Ltd. of AC7 firmware and AC18 Buffer error vulnerability in firmware |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: High |
A vulnerability has been found in Tenda AC7 and AC18 15.03.05.19/15.03.06.44. Affected is the function formSetSchedLed of the file /goform/SetLEDCfg. The manipulation of the argument Time leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. of AC7 firmware and AC18 The firmware contains a buffer error vulnerability and a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202508-0747 | CVE-2025-9007 | Shenzhen Tenda Technology Co.,Ltd. of ch22 Buffer error vulnerability in firmware |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: High |
A vulnerability has been found in Tenda CH22 1.0.0.1. Affected by this issue is the function formeditFileName of the file /goform/editFileName. The manipulation leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. of ch22 The firmware contains a buffer error vulnerability and a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability stems from the formeditFileName function in the file /goform/editFileName failing to properly validate the length of input data. An attacker could exploit this vulnerability to execute arbitrary code