CVE-2025-3987 — Injection in N150rt

CWE-74 — Injection CWE-77 — Command Injection5 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

8.9%

top 7.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Totolink N150rt Totolink N150rt Firmware

Timeline

PublishedApr 27

Latest updateMay 8

Description

A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been rated as critical. This issue affects some unknown processing of the file /boafrm/formWsc. The manipulation of the argument localPin leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5totolink/n150rt3.4.0-B20190525

▶NVDtotolink/n150rt_firmware3.4.0-b20190525

🔴Vulnerability Details

GHSA

GHSA-59gw-jx9x-fx7m: A vulnerability was found in TOTOLINK N150RT 3↗2025-04-28

▶

CVEList

TOTOLINK N150RT formWsc command injection↗2025-04-27

▶

VulnCheck

totolink n150rt_firmware Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')↗2025

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Totolink BufferOverflow Attempt formWsc localPin Command Injection Attempt (CVE-2025-3987)↗2025-05-08

▶