← Back

CVE-2020-25499

nvd nist
Published: Dec 9, 2020Modified: Nov 21, 2024

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

TOTOLINK A3002RU-V2.0.0 B20190814.1034 allows authenticated remote users to modify the system's 'Run Command'. An attacker can use this functionality to execute arbitrary OS commands on the router.

Affected (13)

Totolink
13 products
A3002r Firmware
A3002ru V1 Firmware
A3002ru V2 Firmware
A702r V2 Firmware
A702r V3 Firmware
N100re V3 Firmware
N150rt Firmware
N200re V3 Firmware
N200re V4 Firmware
N210re Firmware
N300rh V3 Firmware
N300rt Firmware
N302r Plus Firmware
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
A3002r Firmware
Before 1.1.1-b20200824.0128
Running on/withPlatform Versions
Totolink
A3002r
All versions
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
A3002ru V1 Firmware
Before 3.4.0-b20201030.1754
Running on/withPlatform Versions
Totolink
A3002ru V1
All versions
Configuration C
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
A3002ru V2 Firmware
Before 2.1.1-b20200911.1756
Running on/withPlatform Versions
Totolink
A3002ru V2
All versions
Configuration D
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
A702r V2 Firmware
Before 1.0.0-b20201028.1743
Running on/withPlatform Versions
Totolink
A702r V2
All versions
Configuration E
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
A702r V3 Firmware
Before 1.0.0-b20201103.1713
Running on/withPlatform Versions
Totolink
A702r V3
All versions
Configuration F
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
N100re V3 Firmware
Before 3.4.0-b20201030.0926
Running on/withPlatform Versions
Totolink
N100re V3
All versions
Configuration G
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
N150rt Firmware
Before 3.4.0-b20201030.1142
Running on/withPlatform Versions
Totolink
N150rt
All versions
Configuration H
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
N200re V3 Firmware
Before 3.4.0-b20201029.1811
Running on/withPlatform Versions
Totolink
N200re V3
All versions
Configuration I
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
N200re V4 Firmware
Before 4.0.0-b20200805.1507
Running on/withPlatform Versions
Totolink
N200re V4
All versions
Configuration J
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
N210re Firmware
Before 1.0.0-b20201030.2030
Running on/withPlatform Versions
Totolink
N210re
All versions
Configuration K
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
N300rh V3 Firmware
Before 3.2.4-b20201029.1838
Running on/withPlatform Versions
Totolink
N300rh V3
All versions
Configuration L
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
N300rt Firmware
Before 3.4.0-b20201026.2033
Running on/withPlatform Versions
Totolink
N300rt
All versions
Configuration M
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
N302r Plus Firmware
Before 3.4.0-b20201028.2224
Running on/withPlatform Versions
Totolink
N302r Plus
All versions

Related CWEs

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (4)

Source: cve@mitre.org
ExploitThird Party Advisory
Source: cve@mitre.org
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory

Timeline

No history available yet.