Vulnerabilities > CVE-2020-25499 - Missing Authorization vulnerability in Totolink products

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

totolink

CWE-862

NVD

Published: 2020-12-09

Updated: 2021-07-21

Summary

TOTOLINK A3002RU-V2.0.0 B20190814.1034 allows authenticated remote users to modify the system's 'Run Command'. An attacker can use this functionality to execute arbitrary OS commands on the router.

Vulnerable Configurations

Part	Description	Count
OS	Totolink Totolink A3002R Firmware 1.1.1-B20200824 Totolink A3002Ru V1 Firmware * Totolink A3002Ru V2 Firmware * Totolink A702R V2 Firmware * Totolink A702R V3 Firmware * Totolink N100Re V3 Firmware * Totolink N150Rt Firmware - Totolink N150Rt Firmware 3.4.0 Totolink N200Re V3 Firmware * Totolink N200Re V4 Firmware * Totolink N210Re Firmware * Totolink N300Rh V3 Firmware 3.0.0-B20150331.0858 Totolink N300Rt Firmware - Totolink N300Rt Firmware 3.2.4-B20180730.0906 Totolink N300Rt Firmware 3.4.0 Totolink N302R Plus Firmware *	16
Hardware	Totolink Totolink A3002R - Totolink A3002Ru V1 - Totolink A3002Ru V2 - Totolink A702R V2 - Totolink A702R V3 - Totolink N100Re V3 - Totolink N150Rt - Totolink N200Re V3 - Totolink N200Re V4 - Totolink N210Re - Totolink N300Rh V3 - Totolink N300Rt - Totolink N302R Plus -	13

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References