CVE-2025-3987
published 2025-04-27CVE-2025-3987: A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been rated as critical. This issue affects some unknown processing of the file…
PriorityP181high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
8.33%
94.2th percentile
A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been rated as critical. This issue affects some unknown processing of the file /boafrm/formWsc. The manipulation of the argument localPin leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| totolink | n150rt | — | — |
| totolink | n150rt_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets HTTP POST requests to /boafrm/formWsc with the `localPin` parameter containing shell metacharacters for command injection (semicolon, newline, backtick, pipe, dollar sign, double-ampersand — both raw and URL-encoded forms).
- →The URI path has an exact byte size of 15 (/boafrm/formWsc), which can be used as a tight fast-pattern anchor to reduce false positives.
- →Attack is initiated remotely over plaintext HTTP (tls_state plaintext) and targets networking equipment at the perimeter or internally; classify as attempted-admin / Initial Access (T1190).
- ·Affected product is specifically TOTOLINK N150RT firmware version 3.4.0-B20190525; detections should be scoped to this device/firmware to avoid noise. ↗
- ·The Snort rule targets $HOME_NET as the destination, meaning it is designed for perimeter/internal deployment monitoring inbound traffic to the vulnerable device — ensure $HOME_NET is configured to include TOTOLINK device IPs.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-59gw-jx9x-fx7m: A vulnerability was found in TOTOLINK N150RT 3
ghsa_unreviewed·2025-04-28
CVE-2025-3987 [MEDIUM] CWE-74 GHSA-59gw-jx9x-fx7m: A vulnerability was found in TOTOLINK N150RT 3
A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been rated as critical. This issue affects some unknown processing of the file /boafrm/formWsc. The manipulation of the argument localPin leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
VulnCheck
totolink n150rt_firmware Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
vulncheck·2025·CVSS 5.3
CVE-2025-3987 [MEDIUM] totolink n150rt_firmware Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
totolink n150rt_firmware Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been rated as critical. This issue affects some unknown processing of the file /boafrm/formWsc. The manipulation of the argument localPin leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Affected: totolink n150rt_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-10-19&host_type=src&vulnerability=cve-
Suricata
ET WEB_SPECIFIC_APPS Totolink BufferOverflow Attempt formWsc localPin Command Injection Attempt (CVE-2025-3987)
suricata·2025-05-08·CVSS 5.3
CVE-2025-3987 [MEDIUM] ET WEB_SPECIFIC_APPS Totolink BufferOverflow Attempt formWsc localPin Command Injection Attempt (CVE-2025-3987)
ET WEB_SPECIFIC_APPS Totolink BufferOverflow Attempt formWsc localPin Command Injection Attempt (CVE-2025-3987)
Rule: alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Totolink BufferOverflow Attempt formWsc localPin Command Injection Attempt (CVE-2025-3987)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/boafrm/formWsc"; fast_pattern; http.request_body; content:"localPin|3d|"; pcre:"/^.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26|%26){2})+/R"; http.header_names; content:!"|0d 0a|Cookie|0d 0a|"; reference:cve,2025-3987; reference:url,github.com/fizz-is-on-the-way/Iot_vuls/tree/main/N150RT; classtype:attempted-admin; sid:2062203; rev:1; metadata:affected_product TOTOLINK, attack_target Networki
No public exploits indexed.
No writeups or analysis indexed.
2025-04-27
Published
Exploited in the wild