VYPR

A3002RU

by Totolink

CVEs (91)

  • CVE-2019-19825CriJan 27, 2020
    risk 0.66cvss 9.8epss 0.30

    On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass. (Also, the CAPTCHA text is not needed once the attacker has determined valid credentials. The…

  • CVE-2022-40111CriSep 6, 2022
    risk 0.64cvss 9.8epss 0.01

    In TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 in the shadow.sample file, root is hardcoded in the firmware.

  • CVE-2022-40109CriSep 6, 2022
    risk 0.64cvss 9.8epss 0.01

    TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable to Insecure Permissions via binary /bin/boa.

  • CVE-2022-35491CriAug 10, 2022
    risk 0.64cvss 9.8epss 0.01

    TOTOLINK A3002RU V3.0.0-B20220304.1804 has a hardcoded password for root in /etc/shadow.sample.

  • CVE-2018-13316CriNov 27, 2018
    risk 0.64cvss 9.8epss 0.03

    System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "subnet" POST parameter.

  • CVE-2018-13314CriNov 27, 2018
    risk 0.64cvss 9.8epss 0.03

    System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ipAddr" POST parameter.

  • CVE-2018-13307CriNov 27, 2018
    risk 0.64cvss 9.8epss 0.03

    System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Certain payloads cause the device to become permanently inoperable.

  • CVE-2018-13306CriNov 27, 2018
    risk 0.64cvss 9.8epss 0.03

    System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter.

  • CVE-2018-13315CriNov 26, 2018
    risk 0.64cvss 9.8epss 0.02

    Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request.

  • CVE-2018-13311CriNov 26, 2018
    risk 0.64cvss 9.8epss 0.03

    System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "sambaUser" POST parameter.

  • CVE-2019-19824HigJan 27, 2020
    risk 0.59cvss 8.8epss 0.25

    On certain TOTOLINK Realtek SDK based routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. This allows for full control over the device's internals. This affects…

  • CVE-2020-25499HigDec 9, 2020
    risk 0.58cvss 8.8epss 0.04

    TOTOLINK A3002RU-V2.0.0 B20190814.1034 allows authenticated remote users to modify the system's 'Run Command'. An attacker can use this functionality to execute arbitrary OS commands on the router.

  • CVE-2023-48859HigDec 6, 2023
    risk 0.57cvss 8.8epss 0.01

    TOTOLINK A3002RU version 2.0.0-B20190902.1958 has a post-authentication RCE due to incorrect access control, allows attackers to bypass front-end security restrictions and execute arbitrary code.

  • CVE-2026-36837HigApr 29, 2026
    risk 0.49cvss 7.5epss 0.00

    TOTOLINK A3002RU V3 <= V3.0.0-B20220304.1804 was discovered to contain a stack-based buffer overflow via the hostname parameter in the formMapDelDevice function.

  • CVE-2024-51228MedNov 27, 2024
    risk 0.49cvss 6.8epss 0.04

    An issue in TOTOLINK-CX-A3002RU V1.0.4-B20171106.1512 and TOTOLINK-CX-N150RT V2.1.6-B20171121.1002 and TOTOLINK-CX-N300RT V2.1.6-B20170724.1420 and TOTOLINK-CX-N300RT V2.1.8-B20171113.1408 and TOTOLINK-CX-N300RT V2.1.8-B20191010.1107 and TOTOLINK-CX-N302RE V2.0.2-B20170511.1523…

  • CVE-2022-40112HigSep 6, 2022
    risk 0.49cvss 7.5epss 0.01

    TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable Buffer Overflow via the hostname parameter in binary /bin/boa.

  • CVE-2022-40110HigSep 6, 2022
    risk 0.49cvss 7.5epss 0.01

    TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable to Buffer Overflow via /bin/boa.

  • CVE-2019-19823HigJan 27, 2020
    risk 0.49cvss 7.5epss 0.06

    A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) stores cleartext administrative passwords in flash memory and in a file. This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0,…

  • CVE-2019-19822HigJan 27, 2020
    risk 0.49cvss 7.5epss 0.09

    A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) allows remote attackers to retrieve the configuration, including sensitive data (usernames and passwords). This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT…

  • CVE-2025-6485MedJun 22, 2025
    risk 0.42cvss 6.3epss 0.06

    A vulnerability was found in TOTOLINK A3002R 1.1.1-B20200824.0128. It has been classified as critical. This affects the function formWlSiteSurvey of the file /boafrm/formWlSiteSurvey. The manipulation of the argument wlanif leads to os command injection. It is possible to…

Page 1 of 5