Totolink A3002R Firmware vulnerabilities

61 known vulnerabilities affecting totolink/a3002r_firmware.

Total CVEs

CISA KEV

Public exploits

Exploited in wild

Severity breakdown

CRITICAL10HIGH33MEDIUM18

Vulnerabilities

Page 3 of 4

CVE-2025-45859MEDIUMCVSS 5.4v4.0.0-b20230531.14042025-05-13

CVE-2025-45859 [MEDIUM] CWE-120 CVE-2025-45859: TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the bandstr pa TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the bandstr parameter in the formMapDelDevice interface.

nvd

CVE-2025-45867MEDIUMCVSS 5.4v4.0.0-b20230531.14042025-05-13

CVE-2025-45867 [MEDIUM] CWE-121 CVE-2025-45867: TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the static_dns TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the static_dns1 parameter in the formIpv6Setup interface.

nvd

CVE-2025-25579CRITICALCVSS 9.8v4.0.0-b20230531.14042025-03-28

CVE-2025-25579 [CRITICAL] CWE-78 CVE-2025-25579: TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Command Injection in /bin/boa via bandstr. TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Command Injection in /bin/boa via bandstr.

nvd

CVE-2025-25610HIGHCVSS 8.0v1.1.1-b20200824.01282025-02-28

CVE-2025-25610 [HIGH] CWE-120 CVE-2025-25610: TOTOlink A3002R V1.1.1-B20200824.0128 contains a buffer overflow vulnerability. The vulnerability ar TOTOlink A3002R V1.1.1-B20200824.0128 contains a buffer overflow vulnerability. The vulnerability arises from the improper input validation of the static_gw parameter in the formIpv6Setup interface of /bin/boa.

nvd

CVE-2025-25635HIGHCVSS 8.0v1.1.1-b20200824.01282025-02-28

CVE-2025-25635 [HIGH] CWE-120 CVE-2025-25635: TOTOlink A3002R V1.1.1-B20200824.0128 contains a buffer overflow vulnerability. The vulnerability ar TOTOlink A3002R V1.1.1-B20200824.0128 contains a buffer overflow vulnerability. The vulnerability arises from the improper input validation of the pppoe_dns1 parameter in the formIpv6Setup interface of /bin/boa.

nvd

CVE-2025-25609HIGHCVSS 8.0v1.1.1-b20200824.01282025-02-28

CVE-2025-25609 [HIGH] CWE-120 CVE-2025-25609: TOTOlink A3002R V1.1.1-B20200824.0128 contains a buffer overflow vulnerability. The vulnerability ar TOTOlink A3002R V1.1.1-B20200824.0128 contains a buffer overflow vulnerability. The vulnerability arises from the improper input validation of the static_ipv6 parameter in the formIpv6Setup interface of /bin/boa

nvd

CVE-2024-54907HIGHCVSS 8.8v4.0.0-b20230531.14042024-12-26

CVE-2024-54907 [HIGH] CWE-94 CVE-2024-54907: TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Remote Code Execution in /bin/boa via formWsc TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Remote Code Execution in /bin/boa via formWsc.

nvd

CVE-2024-34195CRITICALCVSS 9.8v1.1.1-b202008242024-08-28

CVE-2024-34195 [CRITICAL] CWE-787 CVE-2024-34195: TOTOLINK AC1200 Wireless Router A3002R Firmware V1.1.1-B20200824 is vulnerable to Buffer Overflow. I TOTOLINK AC1200 Wireless Router A3002R Firmware V1.1.1-B20200824 is vulnerable to Buffer Overflow. In the boa server program's CGI handling function formWlEncrypt, there is a lack of length restriction on the wlan_ssid field. This oversight leads to potential buffer overflow under specific circumstances. For instance, by invoking the formWlanRedir

nvd

CVE-2024-42520CRITICALCVSS 9.8v4.0.0-b20230531.14042024-08-12

CVE-2024-42520 [CRITICAL] CWE-120 CVE-2024-42520: TOTOLINK A3002R v4.0.0-B20230531.1404 contains a buffer overflow vulnerability in /bin/boa via formP TOTOLINK A3002R v4.0.0-B20230531.1404 contains a buffer overflow vulnerability in /bin/boa via formParentControl.

nvd

CVE-2024-33820HIGHCVSS 7.5v4.0.0-b20230531.14042024-05-01

CVE-2024-33820 [HIGH] CWE-120 CVE-2024-33820: Totolink AC1200 Wireless Dual Band Gigabit Router A3002R_V4 Firmware V4.0.0-B20230531.1404 is vulner Totolink AC1200 Wireless Dual Band Gigabit Router A3002R_V4 Firmware V4.0.0-B20230531.1404 is vulnerable to Buffer Overflow via the formWlEncrypt function of the boa server. Specifically, they exploit the length of the wlan_ssid field triggers the overflow.

nvd

CVE-2022-40109CRITICALCVSS 9.8v1.1.1-b20200824.01282022-09-06

CVE-2022-40109 [CRITICAL] CWE-276 CVE-2022-40109: TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable to Insecure Permissions via b TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable to Insecure Permissions via binary /bin/boa.

nvd

CVE-2022-40111CRITICALCVSS 9.8v1.1.1-b20200824.01282022-09-06

CVE-2022-40111 [CRITICAL] CWE-798 CVE-2022-40111: In TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 in the shadow.sample file, root is hardc In TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 in the shadow.sample file, root is hardcoded in the firmware.

nvd

CVE-2022-40112HIGHCVSS 7.5v1.1.1-b20200824.01282022-09-06

CVE-2022-40112 [HIGH] CWE-120 CVE-2022-40112: TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable Buffer Overflow via the hostn TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable Buffer Overflow via the hostname parameter in binary /bin/boa.

nvd

CVE-2022-40110HIGHCVSS 7.5v1.1.1-b20200824.01282022-09-06

CVE-2022-40110 [HIGH] CWE-120 CVE-2022-40110: TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable to Buffer Overflow via /bin/b TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable to Buffer Overflow via /bin/boa.

nvd

CVE-2021-34207MEDIUMCVSS 6.1v1.1.1-b202008242021-08-20

CVE-2021-34207 [MEDIUM] CWE-79 CVE-2021-34207: Cross-site scripting in ddns.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new Cross-site scripting in ddns.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Domain Name" field, "Server Address" field, "User Name/Email", or "Password/Key" field.

nvd

CVE-2021-34223MEDIUMCVSS 6.1v1.1.1-b202008242021-08-20

CVE-2021-34223 [MEDIUM] CWE-79 CVE-2021-34223: Cross-site scripting in urlfilter.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, Cross-site scripting in urlfilter.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "URL Address" field.

nvd

CVE-2021-34218MEDIUMCVSS 5.3v1.1.1-b202008242021-08-20

CVE-2021-34218 [MEDIUM] CVE-2021-34218: Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows at Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /add/ , /img/, /js/, and /mobile directories via GET Parameter.

nvd

CVE-2021-34220MEDIUMCVSS 6.1v1.1.1-b202008242021-08-20

CVE-2021-34220 [MEDIUM] CWE-79 CVE-2021-34220: Cross-site scripting in tr069config.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Updat Cross-site scripting in tr069config.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "User Name" field or "Password" field.

nvd

CVE-2021-34228MEDIUMCVSS 6.1v1.1.1-b202008242021-08-20

CVE-2021-34228 [MEDIUM] CWE-79 CVE-2021-34228: Cross-site scripting in parent_control.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Up Cross-site scripting in parent_control.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Description" field and "Service Name" field.

nvd

CVE-2021-34215MEDIUMCVSS 6.1v1.1.1-b202008242021-08-20

CVE-2021-34215 [MEDIUM] CWE-79 CVE-2021-34215: Cross-site scripting in tcpipwan.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, Cross-site scripting in tcpipwan.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Service Name" field.

nvd

← Previous3 / 4Next →