Totolink A800R Firmware vulnerabilities

23 known vulnerabilities affecting totolink/a800r_firmware.

Total CVEs

CISA KEV

Public exploits

Exploited in wild

Severity breakdown

CRITICAL13HIGH8MEDIUM2

Vulnerabilities

Page 1 of 2

CVE-2025-4496HIGHCVSS 8.7v4.1.8cu.5241_b202109272025-05-10

CVE-2025-4496 [HIGH] CWE-119 CVE-2025-4496: A vulnerability was found in TOTOLINK T10, A3100R, A950RG, A800R, N600R, A3000RU and A810R 4.1.8cu.5 A vulnerability was found in TOTOLINK T10, A3100R, A950RG, A800R, N600R, A3000RU and A810R 4.1.8cu.5241_B20210927. It has been declared as critical. This vulnerability affects the function CloudACMunualUpdate of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument FileName leads to buffer overflow. The attack can be initiated remotely. The ex

nvd

CVE-2025-28018HIGHCVSS 7.3v4.1.2cu.5137_b202007302025-04-23

CVE-2025-28018 [HIGH] CWE-120 CVE-2025-28018: TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer overflow vulnerability in downl TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer overflow vulnerability in downloadFile.cgi through the v14 parameter.

nvd

CVE-2025-28020HIGHCVSS 7.3v4.1.2cu.5137_b202007302025-04-23

CVE-2025-28020 [HIGH] CWE-120 CVE-2025-28020: TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer overflow vulnerability in downl TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer overflow vulnerability in downloadFile.cgi through the v25 parameter.

nvd

CVE-2025-28019HIGHCVSS 7.3v4.1.2cu.5137_b202007302025-04-23

CVE-2025-28019 [HIGH] CWE-120 CVE-2025-28019: TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer overflow vulnerability in the d TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer overflow vulnerability in the downloadFile.cgi component

nvd

CVE-2025-28017MEDIUMCVSS 6.5v4.1.2cu.5032_b202004082025-04-23

CVE-2025-28017 [MEDIUM] CWE-77 CVE-2025-28017: TOTOLINK A800R V4.1.2cu.5032_B20200408 is vulnerable to Command Injection in downloadFile.cgi via th TOTOLINK A800R V4.1.2cu.5032_B20200408 is vulnerable to Command Injection in downloadFile.cgi via the QUERY_STRING parameter.

nvd

CVE-2025-28034CRITICALCVSS 9.8v4.1.2cu.5137_b202007302025-04-22

CVE-2025-28034 [CRITICAL] CWE-78 CVE-2025-28034: TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102 TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a pre-auth remote command execution vulnerability in the NTPSyncWithHost function through the hostTime parameter.

nvd

CVE-2025-28035CRITICALCVSS 9.8v4.1.2cu.5137_b202007302025-04-22

CVE-2025-28035 [CRITICAL] CWE-78 CVE-2025-28035: TOTOLINK A830R V4.1.2cu.5182_B20201102 was found to contain a pre-auth remote command execution vuln TOTOLINK A830R V4.1.2cu.5182_B20201102 was found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter.

nvd

CVE-2025-28036CRITICALCVSS 9.8v4.1.2cu.5137_b202007302025-04-22

CVE-2025-28036 [CRITICAL] CWE-78 CVE-2025-28036: TOTOLINK A950RG V4.1.2cu.5161_B20200903 was found to contain a pre-auth remote command execution vul TOTOLINK A950RG V4.1.2cu.5161_B20200903 was found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter.

nvd

CVE-2025-28033HIGHCVSS 7.3v4.1.2cu.5137_b202007302025-04-22

CVE-2025-28033 [HIGH] CWE-121 CVE-2025-28033: TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102 TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a pre-auth buffer overflow vulnerability in the setNoticeCfg function through the IpTo parameter.

nvd

CVE-2025-28032HIGHCVSS 7.3v4.1.2cu.5137_b202007302025-04-22

CVE-2025-28032 [HIGH] CWE-121 CVE-2025-28032: TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102 TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 contain a pre-auth buffer overflow vulnerability in the setNoticeCfg function through the IpForm parameter.

nvd

CVE-2025-28136MEDIUMCVSS 6.5v4.1.2cu.5137_b202007302025-04-15

CVE-2025-28136 [MEDIUM] CWE-121 CVE-2025-28136: TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer overflow vulnerability in the d TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer overflow vulnerability in the downloadFile.cgi.

nvd

CVE-2025-28138CRITICALCVSS 9.8v4.1.2cu.5137_b202007302025-03-27

CVE-2025-28138 [CRITICAL] CWE-78 CVE-2025-28138: The TOTOLINK A800R V4.1.2cu.5137_B20200730 were found to contain a pre-auth remote command execution The TOTOLINK A800R V4.1.2cu.5137_B20200730 were found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter.

nvd

CVE-2022-36611HIGHCVSS 7.8v4.1.2cu.5137_b202007302022-08-29

CVE-2022-36611 [HIGH] CWE-798 CVE-2022-36611: TOTOLINK A800R V4.1.2cu.5137_B20200730 was discovered to contain a hardcoded password for root at /e TOTOLINK A800R V4.1.2cu.5137_B20200730 was discovered to contain a hardcoded password for root at /etc/shadow.sample.

nvd

CVE-2022-28935HIGHCVSS 7.2v4.1.2cu.5137_b202007302022-07-06

CVE-2022-28935 [HIGH] CWE-77 CVE-2022-28935: Totolink A830R V5.9c.4729_B20191112, Totolink A3100R V4.1.2cu.5050_B20200504, Totolink A950RG V4.1.2 Totolink A830R V5.9c.4729_B20191112, Totolink A3100R V4.1.2cu.5050_B20200504, Totolink A950RG V4.1.2cu.5161_B20200903, Totolink A800R V4.1.2cu.5137_B20200730, Totolink A3000RU V5.9c.5185_B20201128, Totolink A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability.

nvd

CVE-2022-26208CRITICALCVSS 9.8v4.1.2cu.5137_b202007302022-03-15

CVE-2022-26208 [CRITICAL] CWE-78 CVE-2022-26208: Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setWebWlanIdx, via the webWlanIdx parameter. This vulnerability allows attack

nvd

CVE-2022-26212CRITICALCVSS 9.8v4.1.2cu.5137_b202007302022-03-15

CVE-2022-26212 [CRITICAL] CWE-78 CVE-2022-26212: Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setDeviceName, via the deviceMac and deviceName parameters. This vulnerabilit

nvd

CVE-2022-26210CRITICALCVSS 9.8Exploitedv4.1.2cu.5137_b202007302022-03-15

CVE-2022-26210 [CRITICAL] CWE-78 CVE-2022-26210: Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setUpgradeFW, via the FileName parameter. This vulnerability allows attackers

nvd

CVE-2022-26207CRITICALCVSS 9.8v4.1.2cu.5137_b202007302022-03-15

CVE-2022-26207 [CRITICAL] CWE-78 CVE-2022-26207: Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setDiagnosisCfg, via the ipDoamin parameter. This vulnerability allows attack

nvd

CVE-2022-26211CRITICALCVSS 9.8v4.1.2cu.5137_b202007302022-03-15

CVE-2022-26211 [CRITICAL] CWE-78 CVE-2022-26211: Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function CloudACMunualUpdate, via the deviceMac and deviceName parameters. This vulner

nvd

CVE-2022-26209CRITICALCVSS 9.8v4.1.2cu.5137_b202007302022-03-15

CVE-2022-26209 [CRITICAL] CWE-78 CVE-2022-26209: Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setUploadSetting, via the FileName parameter. This vulnerability allows attac

nvd

1 / 2Next →