⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2020-25499OS Command Injection in A3002r Firmware

CWE-78OS Command InjectionCWE-862Missing AuthorizationCWE-77Command Injection4 documents4 sources
Severity
8.8HIGHNVD
EPSS
19.0%
top 4.66%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
13
Totolink A3002r FirmwareTotolink A3002ru-v1 FirmwareTotolink A3002ru-v2 Firmware+10 more
Timeline
PublishedDec 9
Latest updateMay 24

Description

TOTOLINK A3002RU-V2.0.0 B20190814.1034 allows authenticated remote users to modify the system's 'Run Command'. An attacker can use this functionality to execute arbitrary OS commands on the router.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages13 packages

NVDtotolink/a3002ru-v1_firmware< 3.4.0-b20201030.1754
NVDtotolink/a3002ru-v2_firmware< 2.1.1-b20200911.1756
NVDtotolink/a3002r_firmware< 1.1.1-b20200824.0128
NVDtotolink/n150rt_firmware< 3.4.0-b20201030.1142
NVDtotolink/n210re_firmware< 1.0.0-b20201030.2030

Patches

Patch: www.totolink.netPatch: www.totolink.net

🔴Vulnerability Details

3
GHSA
GHSA-g4mx-vhr8-g9g7: TOTOLINK A3002RU-V22022-05-24
CVEList
CVE-2020-25499: TOTOLINK A3002RU-V22020-12-09
VulnCheck
totolink a3002r_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')2020
CVE-2020-25499 — OS Command Injection | cvebase