VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202506-3868 CVE-2025-53416 Delta Electronics DTN Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability CVSS V2: 7.2
CVSS V3: 7.8
Severity: HIGH
Delta Electronics DTN Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of project files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of an administrator. Delta Electronics DTN Soft is a temperature controller software developed by Delta Electronics, a Chinese company
VAR-202506-3468 CVE-2025-53415 Delta Electronics DTM Soft BIN File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability CVSS V2: 7.2
CVSS V3: 7.8
Severity: HIGH
Delta Electronics DTM Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of BIN files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Delta Electronics DTN Soft is a temperature controller software developed by Delta Electronics, a Chinese company
VAR-202506-3428 CVE-2025-6897 D-Link Systems, Inc.  of  di-7300g+  in the firmware  OS  Command injection vulnerability CVSS V2: 5.2
CVSS V3: 5.5
Severity: Low
A vulnerability classified as critical was found in D-Link DI-7300G+ 19.12.25A1. Affected by this vulnerability is an unknown functionality of the file httpd_debug.asp. The manipulation of the argument Time leads to os command injection. The exploit has been disclosed to the public and may be used. D-Link Systems, Inc. of di-7300g+ The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. D-Link DI-7300G+ is a rugged enterprise-class smart gateway from D-Link, a Chinese company. D-Link DI-7300G+ has a command injection vulnerability, which is caused by a flaw in httpd_debug.asp. An attacker can exploit this vulnerability to execute arbitrary operating system commands on the system
VAR-202506-3347 CVE-2025-6887 Shenzhen Tenda Technology Co.,Ltd.  of  AC5  Buffer error vulnerability in firmware CVSS V2: 9.0
CVSS V3: 8.8
Severity: High
A vulnerability was found in Tenda AC5 15.03.06.47 and classified as critical. Affected by this issue is some unknown functionality of the file /goform/SetSysTimeCfg. The manipulation of the argument time/timeZone leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Shenzhen Tenda Technology Co.,Ltd. of AC5 The firmware contains a buffer error vulnerability and a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Tenda AC5 has a stack buffer overflow vulnerability, which is caused by the failure of the parameters time and timeZone in the file /goform/SetSysTimeCfg to correctly verify the length of the input data. Attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service
VAR-202506-3359 CVE-2025-6886 Shenzhen Tenda Technology Co.,Ltd.  of  AC5  Buffer error vulnerability in firmware CVSS V2: 9.0
CVSS V3: 8.8
Severity: High
A vulnerability has been found in Tenda AC5 15.03.06.47 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /goform/openSchedWifi. The manipulation of the argument schedStartTime/schedEndTime leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Shenzhen Tenda Technology Co.,Ltd. of AC5 The firmware contains a buffer error vulnerability and a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The vulnerability is caused by the failure of the parameters schedStartTime and schedEndTime in the file /goform/openSchedWifi to correctly verify the length of the input data. Attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service
VAR-202506-3360 CVE-2025-6882 D-Link Systems, Inc.  of  DIR-513  Buffer error vulnerability in firmware CVSS V2: 9.0
CVSS V3: 8.8
Severity: High
A vulnerability classified as critical has been found in D-Link DIR-513 1.0. This affects an unknown part of the file /goform/formSetWanPPTP. The manipulation of the argument curTime leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. D-Link Systems, Inc. of DIR-513 The firmware contains a buffer error vulnerability and a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. D-Link DIR-513 is a wireless router product of D-Link, a Chinese company. The vulnerability is caused by the parameter curTime in the file /goform/formSetWanPPTP failing to correctly verify the length of the input data. Remote attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service attack
VAR-202506-3348 CVE-2025-6881 D-Link Systems, Inc.  of  di-8100  Buffer error vulnerability in firmware CVSS V2: 9.0
CVSS V3: 8.8
Severity: High
A vulnerability was found in D-Link DI-8100 16.07.21. It has been rated as critical. Affected by this issue is some unknown functionality of the file /pppoe_base.asp of the component jhttpd. The manipulation of the argument mschap_en leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. D-Link Systems, Inc. of di-8100 The firmware contains a buffer error vulnerability and a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. D-Link DI-8100 is a wireless broadband router designed for small and medium-sized network environments by D-Link. The vulnerability is caused by the parameter mschap_en in the file /pppoe_base.asp failing to correctly verify the length of the input data. Remote attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service attack
VAR-202506-3367 CVE-2025-6825 TOTOLINK  of  A702R  Buffer error vulnerability in firmware CVSS V2: 9.0
CVSS V3: 8.8
Severity: High
A vulnerability classified as critical was found in TOTOLINK A702R up to 4.0.0-B20230721.1521. Affected by this vulnerability is an unknown functionality of the file /boafrm/formWlSiteSurvey of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. TOTOLINK of A702R The firmware contains a buffer error vulnerability and a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK A702R is a router device produced by China's Jiweng Electronics (TOTOLINK) company. Attackers can exploit this vulnerability to cause a denial of service or execute arbitrary code on the device
VAR-202506-3353 CVE-2025-6824 TOTOLINK  of  X15  Classic buffer overflow vulnerability in firmware CVSS V2: 9.0
CVSS V3: 8.8
Severity: High
A vulnerability classified as critical has been found in TOTOLINK X15 up to 1.0.0-B20230714.1105. Affected is an unknown function of the file /boafrm/formParentControl of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. TOTOLINK of X15 Firmware has a classic buffer overflow vulnerability.Service operation interruption (DoS) It may be in a state. TOTOLINK X15 is a network wireless extender produced by China's Jiong Electronics Company (TOTOLINK). Attackers can exploit this vulnerability to execute arbitrary code or cause the device to crash
VAR-202506-3419 CVE-2025-50528 Shenzhen Tenda Technology Co.,Ltd.  of  AC6  Stack-based buffer overflow vulnerability in firmware CVSS V2: 7.5
CVSS V3: 7.3
Severity: HIGH
A buffer overflow vulnerability exists in the fromNatStaticSetting function of Tenda AC6 <=V15.03.05.19 via the page parameter. Shenzhen Tenda Technology Co.,Ltd. (DoS) It may be in a state. The vulnerability is caused by the fromNatStaticSetting function failing to properly verify the length of the input data. Remote attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service
VAR-202506-3429 CVE-2025-45729 D-Link Systems, Inc.  of  DIR-823-Pro  Access control vulnerabilities in firmware CVSS V2: 7.5
CVSS V3: 6.3
Severity: MEDIUM
D-Link DIR-823-Pro 1.02 has improper permission control, allowing unauthorized users to turn on and access Telnet services. D-Link Systems, Inc. of DIR-823-Pro Firmware contains an access control vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The D-Link DIR-823-Pro is a dual-band smart wireless router with a four-antenna design. It supports 802.11ac Gigabit Wi-Fi technology and offers wireless speeds up to 1200Mbps, meeting the bandwidth-demanding needs of high-definition video playback, online gaming, and other applications
VAR-202506-3867 No CVE H3C ER5100G2 of H3C Technologies Co., Ltd. has a weak password vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
H3C ER5100G2 is an enterprise-class Gigabit high-performance router. H3C ER5100G2 of H3C Technologies Co., Ltd. has a weak password vulnerability, which can be exploited by attackers to log in to the system and obtain sensitive information.
VAR-202506-3574 No CVE Netgear WNDAP360 has an information disclosure vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
WNDAP360 is a wireless access point (AP) device from Netgear Inc. Netgear WNDAP360 has an information leakage vulnerability that attackers can exploit to obtain sensitive information.
VAR-202506-3611 No CVE NETGEAR WNDAP350 has an information disclosure vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
NETGEAR WNDAP350 is a dual-band wireless access point. NETGEAR WNDAP350 has an information disclosure vulnerability that can be exploited by attackers to obtain sensitive information.
VAR-202506-1359 CVE-2025-6627 TOTOLINK  of  A702R  Buffer error vulnerability in firmware CVSS V2: 9.0
CVSS V3: 8.8
Severity: High
A vulnerability has been found in TOTOLINK A702R 4.0.0-B20230721.1521 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formIpv6Setup of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. TOTOLINK of A702R The firmware contains a buffer error vulnerability and a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK A702R is a router device produced by China's Jiweng Electronics (TOTOLINK) company. TOTOLINK A702R has a buffer overflow vulnerability, which is caused by the improper processing of the parameter submit-url in the file /boafrm/formIpv6Setup. No detailed vulnerability details are currently provided
VAR-202506-1360 CVE-2025-6621 TOTOLINK  of  CA300-PoE  in the firmware  OS  Command injection vulnerability CVSS V2: 6.5
CVSS V3: 6.3
Severity: Low
A vulnerability classified as critical has been found in TOTOLINK CA300-PoE 6.2c.884. This affects the function QuickSetting of the file ap.so. The manipulation of the argument hour/minute leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. TOTOLINK of CA300-PoE The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK CA300-PoE is a wireless access point from China's TOTOLINK Electronics. There is a command injection vulnerability in the TOTOLINK CA300-PoE ap.so file. The vulnerability is caused by the failure of the hour/minute parameter of the file ap.so to properly filter special characters and commands in the construction command. Attackers can exploit this vulnerability to cause arbitrary command execution
VAR-202506-1285 CVE-2025-6620 TOTOLINK  of  CA300-PoE  in the firmware  OS  Command injection vulnerability CVSS V2: 6.5
CVSS V3: 6.3
Severity: Low
A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been rated as critical. Affected by this issue is the function setUpgradeUboot of the file upgrade.so. The manipulation of the argument FileName leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. TOTOLINK of CA300-PoE The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK CA300-PoE is a wireless access point device produced by China's Jiweng Electronics (TOTOLINK) company. No detailed vulnerability details are currently provided
VAR-202506-1303 CVE-2025-6619 TOTOLINK  of  CA300-PoE  Command injection vulnerability in firmware CVSS V2: 6.5
CVSS V3: 6.3
Severity: Low
A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been declared as critical. Affected by this vulnerability is the function setUpgradeFW of the file upgrade.so. The manipulation of the argument FileName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. TOTOLINK of CA300-PoE The firmware contains a command injection vulnerability. OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK CA300-PoE is a wireless access point from China's TOTOLINK Electronics. The TOTOLINK CA300-PoE upgrade.so file has a command injection vulnerability, which is caused by the parameter FileName of the file upgrade.so failing to properly filter special characters and commands in the constructed command. Attackers can exploit this vulnerability to cause arbitrary command execution
VAR-202506-1367 CVE-2025-6618 TOTOLINK  of  CA300-PoE  Command injection vulnerability in firmware CVSS V2: 6.5
CVSS V3: 6.3
Severity: Low
A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been classified as critical. Affected is the function SetWLanApcliSettings of the file wps.so. The manipulation of the argument PIN leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. TOTOLINK of CA300-PoE The firmware contains a command injection vulnerability. OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK CA300-PoE is a wireless access point from China's TOTOLINK Electronics. The vulnerability is caused by the failure of the parameter PIN of the file wps.so to properly filter the special characters and commands of the constructed command. Attackers can exploit this vulnerability to cause arbitrary command execution
VAR-202506-1322 CVE-2025-6617 D-Link Systems, Inc.  of  DIR-619L  Buffer error vulnerability in firmware CVSS V2: 9.0
CVSS V3: 8.8
Severity: High
A vulnerability was found in D-Link DIR-619L 2.06B01 and classified as critical. This issue affects the function formAdvanceSetup of the file /goform/formAdvanceSetup. The manipulation of the argument webpage leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. D-Link Systems, Inc. of DIR-619L The firmware contains a buffer error vulnerability and a stack-based buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. D-Link DIR-619L is a wireless router from D-Link, a Chinese company. There is a stack buffer overflow vulnerability in the D-Link DIR-619L /formAdvanceSetup file, which is caused by incorrect boundary checking. An attacker can exploit this vulnerability to cause a buffer overflow, execute arbitrary code on the system, or cause the application to crash