VARIoT IoT vulnerabilities database
| VAR-202510-2332 | CVE-2025-63462 | TOTOLINK A7000R sub_421A04 Function Stack Buffer Overflow Vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink A7000R v9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the wifiOff parameter in the sub_421A04 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK A7000R is a wireless router launched by TOTOLINK Electronics Co., Ltd. in China. It supports WiFi 7 technology and is suitable for home or small business network environments. This vulnerability stems from the fact that the wifiOff parameter in the sub_421A04 function fails to properly validate the length of the input data
| VAR-202510-2144 | CVE-2025-63461 | TOTOLINK A7000R urldecode function stack buffer overflow vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink A7000R v9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the ssid5g parameter in the urldecode function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK A7000R is a wireless router launched by TOTOLINK Electronics Co., Ltd. in China. It supports WiFi 7 technology and is suitable for home or small business network environments. This vulnerability stems from the fact that the ssid5g parameter in the urldecode function fails to properly validate the length of the input data
| VAR-202510-2190 | CVE-2025-63460 | TOTOLINK A7000R sub_4222E0 Function Stack Buffer Overflow Vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink A7000R v9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the ssid5g parameter in the sub_4222E0 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK A7000R is a wireless router launched by TOTOLINK Electronics Co., Ltd. in China. It supports WiFi 7 technology and is suitable for home or small business network environments. This vulnerability stems from the fact that the ssid5g parameter in the sub_4222E0 function fails to properly validate the length of the input data. An attacker could exploit this vulnerability to cause a denial-of-service attack
| VAR-202510-2189 | CVE-2025-63469 | TOTOLINK LR350 sub_421BAC function stack buffer overflow vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the ssid parameter in the sub_421BAC function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK Electronics, a Chinese company. It supports converting 4G signals to wired signals and is suitable for home and office use.
The TOTOLINK LR350 contains a stack buffer overflow vulnerability. This vulnerability stems from the fact that the ssid parameter in the sub_421BAC function fails to properly validate the length of the input data
| VAR-202510-2080 | CVE-2025-63468 | TOTOLINK LR350 http_host parameter stack buffer overflow vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the http_host parameter in the sub_426EF8 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK Electronics, a Chinese company. It supports converting 4G signals to wired signals and is suitable for home and office use. This vulnerability stems from the fact that the `http_host` parameter in the `sub_426EF8` function fails to properly validate the length of the input data
| VAR-202510-2081 | CVE-2025-63467 | TOTOLINK LR350 sub_425400 function stack buffer overflow vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the ssid parameter in the sub_425400 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK, a Chinese electronics company. It supports converting 4G signals to wired signals and is suitable for home and office use.
The TOTOLINK LR350 contains a stack buffer overflow vulnerability. This vulnerability stems from the fact that the ssid parameter in the sub_425400 function fails to properly validate the length of the input data
| VAR-202510-2382 | CVE-2025-63466 | TOTOLINK LR350 sub_426EF8 function stack buffer overflow vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the password parameter in the sub_426EF8 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The TOTOLINK LR350 is a 4G LTE wireless router launched by TOTOLINK, a Chinese electronics company. It supports converting 4G signals to wired signals and is suitable for home and office use. This vulnerability stems from the fact that the `password` parameter in the `sub_426EF8` function fails to properly validate the length of the input data
| VAR-202510-3515 | CVE-2025-12554 | An undiscovered vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 (CNVD-2025-29071). |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Missing Security Headers.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company.
A security vulnerability exists in both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4, stemming from a missing security header. Detailed vulnerability information is not currently available
| VAR-202510-3385 | CVE-2025-12553 | An undiscovered vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 (CNVD-2025-29076). |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Email Server Certificate Verification Disabled.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company.
Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability stemming from the disabling of email server certificate verification. Attackers could exploit this vulnerability to launch a man-in-the-middle attack
| VAR-202510-3993 | CVE-2025-12552 | An unidentified vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 (CNVD-2025-29072). |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Insufficient Password Policy.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company.
Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability stemming from insufficient password policies. Detailed vulnerability information is not currently available
| VAR-202510-2153 | CVE-2025-62232 |
CVSS V2: - CVSS V3: 7.5 Severity: HIGH |
Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access.
It has been fixed in the following commit: https://github.com/apache/apisix/pull/12629
Users are recommended to upgrade to version 3.14, which fixes this issue.
| VAR-202510-2085 | CVE-2025-61498 | Tenda AC8 buffer overflow vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
A buffer overflow in the UPnP service of Tenda AC8 Hardware v03.03.10.01 allows attackers to cause a Denial of Service (DoS) via supplying a crafted packet. The Tenda AC8 is a wireless router manufactured by Tenda, a Chinese company.
The Tenda AC8 Hardware version v03.03.10.01 contains a buffer overflow vulnerability. This vulnerability stems from a boundary error in the UPnP service when processing untrusted input. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial-of-service attack
| VAR-202510-2077 | CVE-2025-46363 | Dell Secure Connect Gateway relative path traversal vulnerability |
CVSS V2: 4.0 CVSS V3: 4.3 Severity: MEDIUM |
Dell Secure Connect Gateway (SCG) 5.0 Application and Appliance version(s) 5.26.00.00 - 5.30.00.00, contain a Relative Path Traversal vulnerability in the SCG exposed for an internal collection download REST API (if this REST API is enabled by Admin user from UI). A low privileged attacker with remote access could potentially exploit this vulnerability, leading to allowing relative path traversal to restricted resources. Dell Secure Connect Gateway is an enterprise-grade secure connectivity gateway device from Dell, primarily used to monitor hardware status, automatically create support requests, and ensure secure communication between devices and Dell backend services
| VAR-202510-3184 | CVE-2025-12517 | An unidentified vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 (CNVD-2025-29075). |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
Credits Page not Matching Versions in Use in the FirmwareThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company.
Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability stemming from a firmware version mismatch. Detailed vulnerability information is not currently available
| VAR-202510-2768 | CVE-2025-12516 | Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 Denial-of-Service Vulnerabilities (CNVD-2025-29073) |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Lack of Graceful Error Handling - HTTP 5xx ErrorThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company.
Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a denial-of-service vulnerability stemming from a lack of graceful error handling
| VAR-202510-4097 | CVE-2025-12515 | Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 Denial-of-Service Vulnerabilities (CNVD-2025-29074) |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Systemic Internal Server Errors - HTTP 500 ResponseThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company.
Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a denial-of-service vulnerability stemming from an internal server error. An attacker could exploit this vulnerability to cause an HTTP 500 response
| VAR-202510-4379 | No CVE | Zhuhai Pantum Printing Technology Co., Ltd.'s Pantum CM1100DN Series has a weak password vulnerability. |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Pantum CM1100DN Series is a color laser multifunction printer.
The Pantum CM1100DN Series printer manufactured by Zhuhai Pantum Printing Technology Co., Ltd. has a weak password vulnerability. Attackers could exploit this vulnerability to log into the system and obtain sensitive information.
| VAR-202510-4199 | CVE-2025-12479 | Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 Cross-Site Request Forgery Vulnerabilities |
CVSS V2: 10.0 CVSS V3: 8.8 Severity: HIGH |
Systemic Lack of Cross-Site Request Forgery (CSRF) Token Implementation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company.
Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a cross-site request forgery (XPS) vulnerability caused by improper validation of user-provided input. An attacker could exploit this vulnerability to perform unauthorized actions by sending malformed HTTP requests
| VAR-202510-3387 | CVE-2025-12478 | An unidentified vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 (CNVD-2025-29079). |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Non-Compliant TLS Configuration.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company.
Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability stemming from non-compliant TLS configuration. Detailed vulnerability information is not currently available
| VAR-202510-3717 | CVE-2025-12477 | Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 information disclosure vulnerabilities |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Server Version Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company.
Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain an information disclosure vulnerability caused by incorrect authentication. Attackers could exploit this vulnerability to obtain server version information