CRITICAL🇵🇱 Wersja polska

CVE-2025-22900

CVSS 9.8v3.1pub. 2025-04-15upd. 2025-04-22

Totolink N600R v4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the macCloneMac parameter in the setWanConfig function.

🤖 AI Analysis
How it works

The attacker sends a specially crafted request containing an excessively long value of the macCloneMac parameter to the setWanConfig function of the device. The lack of proper input length validation causes a stack buffer overflow. This enables overwriting critical memory areas, leading to control over program execution flow.

Impact

An unauthorized remote attacker can execute arbitrary code (RCE) on the device without needing any credentials, and can compromise the confidentiality, integrity, and availability of the system in full scope.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Until an update is released, it is recommended to restrict access to the device management interface only to trusted hosts and isolate the device from unprotected network segments.

Who is affected

Totolink N600R in firmware version v4.3.0cu.7647_B20210106

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Totolink N600r

    HW
    Totolink
    wszystkie wersje
  • Totolink N600r Firmware

    OS
    Totolink
    4.3.0cu.7647_b20210106
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-51390CRITICAL9.8PL ✓ten sam produkt

Command injection w TOTOLINK N600R via parametr pin (WPS)

CVE-2025-46060CRITICAL9.8PL ✓ten sam produkt

Buffer Overflow w TOTOLINK N600R umożliwiający zdalne wykonanie kodu

CVE-2023-43141CRITICAL9.8ten sam produkt

TOTOLINK A3700R V9.1.2u.6134_B20201202 and N600R V5.3c.5137 are vulnerable to Incorrect Access Control.

CVE-2022-28907CRITICAL9.8ten sam produkt

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the hostti...

CVE-2022-28906CRITICAL9.8ten sam produkt

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the langty...