cbcvebase.
CVE-2025-3990
published 2025-04-27

CVE-2025-3990: A vulnerability, which was classified as critical, has been found in TOTOLINK N150RT 3.4.0-B20190525. Affected by this issue is some unknown functionality of…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.85%
53.6th percentile
A vulnerability, which was classified as critical, has been found in TOTOLINK N150RT 3.4.0-B20190525. Affected by this issue is some unknown functionality of the file /boafrm/formVlan. The manipulation of the argument submit-url leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Affected

2 ranges
VendorProductVersion rangeFixed in
totolinkn150rt
totolinkn150rt_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/boafrm/formVlan
urlhttps://github.com/fizz-is-on-the-way/Iot_vuls/tree/main/N150RT
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Totolink BufferOverflow Attempt multiple URI endpoints submit-url Parameter Buffer Overflow Attempt (CVE-2025-3990, CVE-2025-3993)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/form"; startswith; pcre:"/^(?:Vlan|WdsEncrypt|Wlwds|Wsc)/R"; http.request_body; content:"submit-url"; fast_pattern; pcre:"/^\x3d[^\x26$]{100,}(?:\x26|$)/R"; http.header_names; content:!"\x0d\x0aCookie\x0d\x0a"; reference:cve,2025-3990; reference:cve,2025-3991; reference:cve,2025-3992; reference:cve,2025-3993; reference:url,github.com/fizz-is-on-the-way/Iot_vuls/tree/main/N150RT; classtype:web-application-attack; sid:2062172; rev:3;)
  • Exploit targets HTTP POST requests to URI paths beginning with /boafrm/form followed by one of: Vlan, WdsEncrypt, Wlwds, or Wsc
  • The overflow payload is carried in the POST body via the 'submit-url' parameter; a value of 100 or more characters after the '=' sign (before '&' or end-of-body) is indicative of exploitation
  • ·The Snort/Suricata rule (sid:2062172) covers four CVEs simultaneously (CVE-2025-3990, -3991, -3992, -3993) across multiple endpoints; tune or split the rule if per-CVE fidelity is required
  • ·Affected product is TOTOLINK N150RT firmware version 3.4.0-B20190525; ensure detection scope is limited to traffic destined for this device class to reduce false positives

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.